rahmetu

Yay🥳, I was awarded $750 bounty on @Hacker0x01! #TogetherWeHitHarder It's my first ever bounty. It took me 2 years to get my first payout. Yeah,it took me that long to get a reward and I am so glad I did it. A little tip for those who are struggling with bug bounty hunting A 🧵

Alright, I've stayed away from the Mythos stuff for a little bit. Going to comment on that, but AI as a whole. First, this AI industry is absolutely insane. I feel like I'm back in the 90s/2000s with innovation, but it's not tempered or methodical - it's pure chaos. Everyday there is some AI-dude-bro (or gal) clawing for followers claiming end of cybersecurity, end of software engineering, or this breakthrough changes everything. We're seeing the "streamer" effect of video games now exploding in every industry that hasn't been in whatever industry, but is now a AI-expert thus an expert in anything AI touches because they can prompt. Largely it's not, but what it is doing is requiring us to understand what AI will do to virtually every industry in the future. I'm sitting here right now at a conference I'm presenting at, and I spoke with an individual which was like man... I'm just trying to get through this SAP implementation at my company, I don't even know where to start with AI at the moment. We are still in the extreme early stages of what AI can do, and I think that's really the exciting part - we are at the infancy stages of this. Most enterprise can't handle AI, as most companies couldn't handle agile workflow when it came out either, it took time, but eventually adopted. I won't dive deep into the scalability of releasing AI to the masses based on compute, power, or subsidies because these are real hurdles we need to solve. As you can see with Claude's spike in popularity is causing them to have to dumb the model down upwards of 65% just to stay afloat (Claude is absolutely awful right now for coding - beware). Mythos is cool, really cool - but it's not earth shattering as claimed. The potential here we are seeing a glimpse of what can actually happen though. The ability to do extremely complex tasks, with insane context windows, and high-end reasoning. But, what we saw from other current frontier models including open LLMs, they were able to find the same issues, but had to be specifically targeted towards those code sections because of context limitations and complex task reasoning which was drastically improved in Mythos. What does this mean? Basically. Nothing. It's a lot of marketing hype - but it does prove out that as these models become smarter, it will inevitably produce much better code, be able to work in mind blowing fashions that we haven't seen before - but it will all come down to cost. Right now Mythos is extremely expensive because of the compute needed, and we may solve that over time, but it's not there yet. The subsidies right now means AI is not ready. Scale is our biggest bottleneck right now and until that's solved, the industry will not move as fast as it could. What's particularly impressive is how the open models are starting to perform on par (or better) with the frontier models and become way more efficient without restrictions (turboquant) as an example. Our ability to use near parity models on our own hardware will only continue to get better which is a huge threat for these companies. I at first looked at Cursor's implementation of Kimi as they were falling behind because it wasn't "their own model". That wasn't accurate, its that the open models are performing substantially better than from 6 months ago, and will soon be leading the charge or close to it. What does this mean for cybersecurity? The industry is changing rapidly, and I absolutely freaking love it. We needed a swift kick in the ass in this industry that was largely stagnant for the past 10-15 years. What used to be a handful of incredibly talented security researchers that knew systems internals, savants at reverse engineering and reading through millions of lines of ASM is now being afforded to the masses, but still has a long way to go. The reason AI is so good at doing this stuff is because they paved the way, and will continue to do so in different ways. Not eliminated or removed, enhanced and better than ever. AI is single handedly the largest theft of plagiarism that has ever happened in human history. I just got a 10K check from Claude for ripping off my Metasploit book to train its model to be smarter actually :P I am all for things that make the world a safer place. Our goal in cybersecurity is to fix the world, make it less harmful when using technology - we should be adopting this. Note that it's going to come with a ton of fluff, hype, doomsday predictions, people that are now AI exports or coding experts but have never written a line of code themselves. That's all to be expected if you have ever been to an RSA conference. AI will product meaningful change in an industry that needed it. Cybersecurity is much more than bugs or defects, it's protecting against risk. AI is a new emerging risk, it's going to keep us insanely busy right now, and for the foreseeable future.

Overcoming public speaking fears? Toastmasters is your secret weapon. Recording yourself on video revealed you *don't* look as nervous as you feel. Practice speaking, refine your delivery, and build unshakeable confidence. #PublicSpeaking #Toastmasters

Here's how to deliver reflected XSS through a HTTP request smuggling vulnerability! 👇 Try this Practitioner lab now: portswigger.net/web-security/r…

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

It's always great to catch up with @Rhynorater <3

We finally had @thedawgyg on the pod to talk about his origin story, recent Chrome research and how he optimises his AI workflow, his famous 180K payout on Yahoo and a LOT more. This is an episode we know a lot of people have been looking forward to, check it out! youtu.be/kpFfde3rNFs

Are you still searching for your first valid vulnerability? Q2 is just around the corner! It's time to lock in! 🫡 Join us in #BugQuest! Starting today, we'll share bug bounty tips, techniques, and resources that anyone can use to find Broken Access Control (BAC) vulnerabilities, no matter your experience level, background, or skill set, for 31 days. Wish to stay ahead? Be sure to: ✅ Follow @INTIGRITI ✅ Share this post with your hacker friends ✅ Tag your bounty buddies who should join Day 1 is live now! Swipe through to see today's post on learning what Broken Access Control (BAC) vulnerabilities are Come back daily to unlock more tips. Let's end Q1 2026 with at least a valid finding and start Q2 2026 with even more submissions! 💪 #BugBounty #HackWithIntigriti

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/…

I wish I knew this earlier. There is a website that shows you what CSP bypasses are possible by pasting the CSP policy in it. cspbypass.com Basically you can lookup vulnerable 3rd party JS libs and SDKs from the whitelisted CSP sources #bugbountytips #bugbounty

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟴, 𝟮𝟬𝟮𝟲 Java x2, Go, JWT and a sprinkling of AI 🦫 𝗖𝗧𝗙𝘁𝗶𝗺𝗲.𝗼𝗿𝗴 / 𝗷𝘂𝘀𝘁𝗖𝗧𝗙 [*] 𝟮𝟬𝟮𝟬 / 𝗚𝗼-𝗳𝘀 / 𝗪𝗿𝗶𝘁𝗲𝘂𝗽 A cool Golang quirk via an unintended CTF solution ctftime.org/writeup/25852. ☕️ 𝗔𝗹𝗺𝗼𝘀𝘁 𝗜𝗺𝗽𝗼𝘀𝘀𝗶𝗯𝗹𝗲: 𝗝𝗮𝘃𝗮 𝗗𝗲𝘀𝗲𝗿𝗶𝗮𝗹𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗧𝗵𝗿𝗼𝘂𝗴𝗵 𝗕𝗿𝗼𝗸𝗲𝗻 𝗖𝗿𝘆𝗽𝘁𝗼 𝗶𝗻 𝗢𝗽𝗲𝗻𝗧𝗲𝘅𝘁 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 What an adventure in Java Deserialisation... slcyber.io/research-cente…. 😱 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲: 𝗝𝗪𝗧 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗕𝘆𝗽𝗮𝘀𝘀 𝗶𝗻 𝗢𝗽𝗲𝗻𝗜𝗗 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗼𝗿 𝗳𝗼𝗿 𝗧𝗼𝗺𝗰𝗮𝘁 The exact same vulnerability I found in HarbourJWT but in a much cooler target, still not fixed... insinuator.net/2026/02/jwt-au…. ☕️ 𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟬𝟲𝟬𝟯: 𝗦𝗲𝗰𝗼𝗻𝗱-𝗢𝗿𝗱𝗲𝗿 𝗦𝗤𝗟 𝗜𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗶𝗻 𝗛𝗶𝗯𝗲𝗿𝗻𝗮𝘁𝗲 𝗨𝗣𝗗𝗔𝗧𝗘/𝗗𝗘𝗟𝗘𝗧𝗘 (𝗜𝗻𝗹𝗶𝗻𝗲𝗜𝗱𝘀𝗢𝗿𝗖𝗹𝗮𝘂𝘀𝗲𝗕𝘂𝗶𝗹𝗱𝗲𝗿) A bit of a stretch but an interesting insight into Hibernate: herodevs.com/blog-posts/cve…. 🤖 𝗨𝘀𝗶𝗻𝗴 𝘁𝗵𝗿𝗲𝗮𝘁 𝗺𝗼𝗱𝗲𝗹𝗶𝗻𝗴 𝗮𝗻𝗱 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼 𝗮𝘂𝗱𝗶𝘁 𝗖𝗼𝗺𝗲𝘁 The team at Trail of Bits is sharing some key learnings from their audit of Comet (AI browser) blog.trailofbits.com/2026/02/20/usi….

Calling it now: aided by LLMs for vuln discovery, patch diff, and weaponization, exploitation for initial access and privesc is going to majorly increase in the next 12 months. This is based on my personal success beginning with opus 4.5, and moreso with now with 4.6.

Do not start with fundamentals. This is an awful approach to learning. Start with so-called "advanced" topics and ask questions until every term/concept is understood. This is the correct, rigorous, scientific way to learn, because the advanced topics are embedded in larger, more convoluted, more abstracted constructs. This embedding is what gives the individual pieces their *meaning*. Foundational studies have removed this embedding, and present only the isolated, sterile pieces. They have no meaning. They have no context. The notion that students will piece together fundamentals into some eventual synthesis down the road is absolutely incorrect. It is literally information-theoretically obtuse. Children don't learn language using pieces. They mumble *fully*. They are never not fully embracing the complexity. It is the juxtaposition between their naive attempts and the full picture that imbues their mind with learning. Prerequisites are the dumbest approach to learning. It is utterly indefensible using any scientific argument. The basics-to-advanced directionality is diametrically opposed to how information is encoded, comprehended and used. Prerequisites are why most computer scientists and whiteboard exam-passers can't make software themselves; they can only be cogs in a company. It's why a Princeton math PhD can write the update rule for gradient descent but can't draw the actual process with circles and lines on a damn chalkboard (true story). Idiot level stuff because their learning was all basics to advanced. They never defined terms and concepts in an embedded fashion. It was all disconnected. Meaningless muscle memory with no understanding. It does not work both ways. Only pieces that are seen inside the bigger picture are understood. Do not start with fundamentals.

In case you missed it, all of the talks from both conferences last year are posted on our website for free. Watch all 20+ talks here 👉🏼 nahamcon.org

This was a fun little chat. Was awesome hanging with @IceSolst

NahamSec: Hacker, Content Creator, Pentester, Trainer thehackermaker.com/nahamsec-hacke…

You can find a critical bug on any target by applying 4 simple rules: - Use the target service as a customer - Use every single feature they provide - Read every single doc they have - Test basic common bugs on all of those features This is literally all you need to succeed.

I don't know who needs to hear this, but: If you're bug bounty hunting, test the main scope. There are far more bugs hiding there than you think...

Instead of making a 3rd how to bug bounty and share resources and labs, I decided to reflect on my journey in the last 3 years and share some of things that helped me earn over $1,000,000+ in bounties in these 3 years . Here's what I have learned 👉🏼 youtu.be/oFxcG7yerG4

Introducing my Bug Bounty Masterclass. 100% free. I've made $2,000,000+ finding security bugs. I spent the last year turning my methodology into a complete blueprint. 4 hours of video - foundations, reconnaissance, web proxies, hands-on challenges, and certification. Finish it in a weekend and start hacking real-world applications 🐞