r/AskNetsec

AI alert-summarization tool that actually reduces triage time?

copilot has been completely useless for actual triaging.

whoever decided every alert needs an AI summary owes me hours of my life back.

"possible suspicious activity detected based on observed behavioral patterns."

thanks.

that tells me exactly as much as the alert title did.

if i still have to open the process tree and check parent processes and look at network connections and pivot through logs and build the timeline myself... what exactly did the AI save me?

just hire more analysts at this point.

anyone actually found one that helps or is this just how it is now

reddit.com
u/Mind-Principle-1834 — 10 hours ago

Can Malware Transfer Through Wifi

Yo so I've been wondering since my brother tends to have not so safe internet habits, if potential malware from his laptop can potentially transfer to other devices that also share the same WiFi/network. Also does proximity matter (like side by side Vs in another room). And also if malware could transfer, how to prevent it since I can't control what my brother does. Also I can't do anything router related since it's up to my dad and he doesn't care as much about malware.

Essentially, is it possible? How to prevent it? Is it likely?

reddit.com
u/WilliedWegdies — 1 day ago

How are people verifying identity on unclassified DoD calls?

Reading about the recent government Signal chat incident and it got me thinking. When you're outside a SCIF and discussing sensitive but unclassified stuff like program schedules, logistics, milestones etc. how are people actually verifying they're talking to the right person?

CACs and PKI don't really help once you're off secure systems. Is it mostly just callbacks, known numbers and recognizing someone's voice or are there better processes? I know Kibu's a thing, but I'm more interested in how people are solving the problem today.

Curious what the norm is for people working in the defense contractor world

reddit.com
u/Rare_Chocolate5859 — 2 days ago

Why do some seemingly low risk accounts require such secure passwords?

Was signing up for a supermarket loyalty card, and the password requirements includes:

At least 12 characters

At least one special character from:

!\"$%&'()*+,-./:;<=>?@[\]^_^{}~

I do understand it's to not be hacked etc, but, why such a secure password for a loyalty card? Passwords for things like banks and other services in my experience have essentially half the requirements, and other loyalty cards I've used have, once again, requirements that aren't close?

reddit.com
u/Mince-And-Cheese-Pie — 3 days ago
▲ 4 r/AskNetsec+1 crossposts

Is “patch faster” enough if sensitive services remain reachable by default?

We’ve been discussing in the Cloud Security Alliance Zero Trust group how AI-speed vulnerability discovery changes Zero Trust implementation. Time-to-exploit trends suggest defenders have less time to patch exposed services, and CISA’s risk-based remediation approach treats public exposure as a major factor in urgency.

That made me think the architectural question is not only “how do we patch faster?” but also:

Why are so many sensitive services reachable by default in the first place?

My view is that Zero Trust needs to move beyond perimeter/ZTNA framing and focus more on reducing reachability before connection. For private services, admin paths, APIs, workload paths, partner access, and agentic workflows, the safer default should be: no service path exists unless identity, policy, posture/context, and session state allow it.

I wrote this up for CSA here:
https://cloudsecurityalliance.org/blog/2026/07/02/ai-speed-risk-requires-identity-defined-reachability

Disclosure: I’m the author and co-lead CSA’s Zero Trust Networking workstream, so I’m obviously close to the argument. I’m interested in practitioner pushback: is this realistic in enterprise environments, or does it break down with legacy apps, hybrid routing, OT, troubleshooting, or policy operations?

u/PhilipLGriffiths88 — 3 days ago

how much monitoring is enough for card fraud?

I was reading through fraud setups for card programs and the advice always brings up more monitoring like that’s a clear answer but if u keep layering alerts rules and manual review on top of each other it feels like you just end up watching everything and understanding nothing.

Where does that tipping point hit where extra monitoring stops reducing risk and only burns time?

reddit.com
u/FutureTrip1646 — 3 days ago

How do I secure a network that has IOT devices and roommates, computers that may be compromised with RAT malware

I’m trying to reset my home network and keep it secure. Need some advice.

Someone was downloading, pirate software, and paste some sketchy commands into terminal. By “someone” I mean “me” . Anyway, I’ve got a brand, new router and modem that hasn’t been hooked up yet. But they’re just garbage level product from spectrum. I would like to set something up so that each person has a node or a connect to themselves but isolated from the rest of the network.

The more I look into what products I might want the more confused I start to get. Also, I need to set up an IOT network because I don’t want my IOT devices to potentially infect other things..

Another question I have is if it’s worthwhile to get a TDS or firewall (a physical one) and which devices would be ones that I should consider.

The guy who found the malware and somewhat eradicated it said it was a very complex and dastardly one that has three parts that masquerade system software, get into the firmware and will travel through AirDrop and Bluetooth. Changing timestamps and stuff to hide what they’re doing and masquerading as system processes.

I know some of the people out there are probably just crazy but when I start researching, I find people who have gotten this on their networks and just cannot seem to clear it out. I think some of them are just being paranoid, but I think others are actually experiencing..

Right now, the new modem and router have not been hooked up to the network. I’m thinking about getting a new Apple ID and wiping my phone. Because this malware doesn’t really do anything malicious other than ship all your data out. It’s very hard to detect. It’s about being incognito and providing offset to whoever wants to remote into you later..

I figure I’ll block all connections with little snitch. And only approve the ones that I review as safe. I believe the malware is 3crypt RAT or a similar variant.

https://www.pcrisk.com/removal-guides/35298-3crypt-rat-mac

I’m overwhelmed and not sure even which step to begin on. And just for clarity, I’m not asking anything about if I was hacked. I’m trying to figure out the best way to build a secure network moving forward from this.

reddit.com
u/Micro-Naut — 3 days ago

AI security rules keep assuming a network boundary that doesn't exist anymore

Spent a few days last quarter writing something to control what could reach the internet, got it approved and put it live without much trouble.

3 weeks later someone noticed traffic going to a service nobody had signed off on

What we put in place targeted specific domains, but the team had been using the same service through a browser extension the whole time, so it slipped right past.

That's when it hit me the whole thing assumed something that isn't really there anymore. Browser extensions, embedded features inside approved platforms, calls from software that was already allowed and plenty of activity that never gets inspected at all.

How are others enforcing this without trying to block every possible path?

reddit.com
u/Icy-Journalist-2556 — 4 days ago

How to make a server backup secure?

Good evening everyone,

Unfortunately, English is not my native language, so I'm using a translator. I hope you understand what I'm trying to say.

I am currently setting up my own homo server with various functions, including digital file management for everything. Since I want to do everything right, I'm already looking into security and how to make an encrypted backup that's stored in the cloud.I know one can debate why the cloud is the best option, but currently it's the most convenient for me unless someone has a better idea.

My question is, what standards should I set for safety? I would like to ensure it's secure for the next few decades; I am of course aware that this includes backups and checking for newer options.However, it is important to me that it is already quantum-safe, since the data can potentially be stored.I'm not a conspiracy theorist; probably no one cares about my bills, but I'm still suspicious of everyone at first.

According to current knowledge, AES 256 is sufficient for quantum safety...

I was just toying with the idea of AI, and it was this (I'll let the AI describe it)

My 3-Stage "Coma & House Fire" Backup Architecture (0$ Running Costs):

Stage 1 (Automated Everyday Use): A 512-bit random keyfile stored locally on the server (chmod 600). The cloud destination uses S3 Object Locking (Append-Only) to block ransomware from deleting past backups, even if the server is compromised.

Stage 2 (Server Crash): A copy of the keyfile on a LUKS-encrypted USB stick (using a simple passphrase from my head) to rebuild the system if only the hardware fails.

Stage 3 (The Apocalypse – House Fire + Coma + Amnesia): A master passphrase split into a 2-of-3 Shamir's Secret Sharing (SSS) scheme, stamped onto 3 fireproof stainless-steel plates. The shares are hidden with 3 different family members. If my house burns down and I’m in a coma, my family can legally retrieve any 2 plates, run ssss-combine, and restore everything without my memory.

Am I exaggerating my question here? My requirements were essentially maximum reliability and the greatest possible security with various fallback options.

I am looking forward to your answer.

reddit.com
u/NovelMechanic6991 — 4 days ago

What is LLM penetration testing and which vendors offer it as a managed service?

been seeing "llm penetration testing" come up more in security conversations at work and just trynna understand what it covers before committing to any vendor.
from what i can tell it's not just running prompts at a model and seeing what breaks. thou the part that worries me most is the agent surface, tool calls firing with more access than the task needs, or the agent getting talked into an action by an indirect prompt injection buried in retrieved content. then there's also sensitive data leaking out the other side, not from anything the base model memorized but from the retrieval context or whatever the agent can reach.
what i can't tell though is how much of this is manual red teaming vs automated scanning, or whether you can get llm security testing as an ongoing managed service rather than a one-time engagement.
we've got a couple of internal llm tools, yes a rag assistant and an agent wired into some internal apis, and i want to know how exposed we are to this stuff before something goes wrong, not after.

my question is if you've had an llm pen test done or run one yourself, what did it surface that your regular appsec or api review missed?

reddit.com
u/Emergency_One_3557 — 5 days ago
▲ 6 r/AskNetsec+1 crossposts

What are you using to collect, calculate, and report security KPIs?

Hi everyone;

I've been looking around and haven't found a tool that lets you actually define and track your own KPIs. Not control compliance I mean real KPI tracking: define the metric, track it over time, report on it.

Everything I find is either a GRC tool (compliance-focused, not KPI-focused) or a BI tool you have to bend into shape yourself.

What's actually working for people here? Spreadsheets, Grafana, something built in-house, a GRC tool that secretly does this well?

reddit.com
u/No_Relief3499 — 5 days ago

Who do you like better for pentesting? Boutique or big name providers?

For those who have gotten pentests from both small boutique providers and big name major players, which do you prefer and why?

reddit.com
u/Standard-Hearing-208 — 6 days ago

I discovered an ongoing security issue, how do i best inform people?

I found over 100 infected public GitHub repositories, including several with 100+ forks. I'm manually tracking down maintainers and emailing them. Is there a better or more scalable way to notify them?

reddit.com
u/Dramatic-Bug6898 — 6 days ago

Anyone else noticing security vendors quietly shifting from “network” language to “identity” language?

Been sitting through a bunch of architecture reviews lately and it hit me that almost nobody talks about “the perimeter” anymore. Every pitch is about identity context, device posture, continuous verification, session risk etc....which honestly tracks with reality. Most companies barely have a meaningful network boundary now between SaaS, remote work, contractors, and cloud workloads everywhere.

But at the same time, it feels like identity providers have quietly become the single most critical dependency in enterprise security. One bad conditional access policy and suddenly half the company can’t function. Are identity systems becoming a bigger single point of failure than networks ever were?

reddit.com
u/AlexPete2 — 6 days ago

Beginner SOC question about a PowerShell/Wazuh alert

Hi everyone,

Wazuh, Sysmon, and alert analysis . I received an alert that I'm trying to understand better and would appreciate guidance on how an analyst would investigate it.

The Wazuh rule triggered:

Rule ID: 92213
Description: "Executable file dropped in folder commonly used by malware (Lowered Severity)"
MITRE: T1105 – Ingress Tool Transfer

Important details:

  • Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • File created: C:\Users\someone\AppData\Local\Temp\__PSScriptPolicyTest_cebr0opm.pas.ps1
  • Sysmon Event ID: 11 (File Create)

What confuses me is the filename:

__PSScriptPolicyTest_*.ps1

I found some information suggesting PowerShell can create temporary files while checking execution policies, but I’m not sure whether this should be considered suspicious behavior or expected activity.

My questions:

  1. Would you classify this as a true positive or false positive?
  2. What would be your first investigation steps?
  3. Which additional logs or Sysmon events would you pivot to?
  4. Does the MITRE mapping make sense here, or could this be a generic detection generating noise?

I'm trying to understand the investigation methodology and analyst thought process rather than just getting the answer.

Thanks!

reddit.com
u/SignatureForward9397 — 5 days ago

CTF challenge is impenetrable

Hey everyone,

I'm currently working on a CTF challenge from SecDojo and I'm a bit stuck.

The setup is:

- I have access to one machine

- There are 4 additional machines to pivot into

- Each machine contains 2 flags

- SSH access is not available (requires a key I don't have)

- The only exposed service I can use is HTTP

I was also provided with an APK file, which I assume is part of the challenge, but I'm not very experienced with analyzing Android apps.

What I’ve tried so far:

- Basic enumeration over HTTP

- Looking for common endpoints (admin, login, etc.)

What I’m struggling with:

- How to use the APK effectively in this scenario

- How to pivot from the initial machine to the others using only HTTP

- Whether I should focus more on reverse engineering the APK or web exploitation

Any hints or guidance would be really appreciated (no full solutions please 🙏)

Thanks!

#Help

reddit.com
u/myassin75f — 7 days ago

Has anyone tried AI for phishing simulations?

People at the org have basically figured out our simulation emails and before you say that is a good thing they are not security aware, they just know what our test emails look like. Saw some platforms that use AI to adapt to each person with different styles, timing, channels etc. Sound interesting. Anyone tried something along the line? Please give your "whys" with the recommendations Thank you.

reddit.com
u/Training_Leave_5433 — 7 days ago

Best Practices for Authorized Web Security Scanners Behind Cloudflare WAF

Hi everyone,

I'm building a SaaS security scanner that performs authorized security assessments for customer-owned websites. One challenge I'm facing is that many customers use Cloudflare or other WAFs, which can rate-limit or block automated scanning traffic.

I'm not looking for ways to bypass security controls on unauthorized targets. Instead, I want to understand the industry best practices for making an authorized scanner reliable while working with WAFs.

Some questions I have:

How do commercial scanners handle Cloudflare and similar WAFs during authorized assessments?

Is IP allowlisting the standard approach, or are there better alternatives?

Are there vendor-supported mechanisms (such as scan verification, authenticated tokens, or APIs) that I should implement?

How do you balance scan speed with avoiding false positives and rate limiting?

If you've built or operated a security scanning platform, what lessons or design decisions would you recommend?

I'm particularly interested in hearing from anyone who has experience building commercial vulnerability scanners or security assessment platforms.

Thanks in advance for sharing your insights.

reddit.com
u/abhikarthik — 6 days ago

How would you classify these LLM behaviors under the OWASP LLM Top 10: security vulnerabilities or robustness issues?

I'm looking for technical opinions from people working in application security and AI security.

I recently performed a black-box assessment of an LLM API and observed several behaviors including:

  • Identity changes caused by system messages.
  • Identity changes when a tools array is present.
  • Reasoning output exposing system prompt content that the user-facing response refused to reveal.
  • XML/structured prompt injection affecting model behavior.
  • Tool-result instruction injection.
  • Few-shot identity conditioning.

I originally classified these as security vulnerabilities, but after feedback I removed CVSS scoring and instead mapped them to the OWASP LLM Top 10 (primarily LLM01, LLM02 and LLM07).

The disagreement I've received is not about the observed behavior, but about the classification. Some argue these are expected model behaviors or robustness issues rather than security vulnerabilities.

My question is:

From a security engineering perspective, where would you draw the line between:

  1. Expected LLM behavior
  2. Robustness failures
  3. Security vulnerabilities

Is the deciding factor the existence of an exploit primitive itself, or must there always be demonstrated business impact (for example actual confidential data disclosure or privilege escalation) before something should be classified as a security vulnerability?

I'm looking for technical reasoning rather than opinions about the specific vendor.

Report: https://github.com/flawme/SARVAM-2026-001

reddit.com
u/Inner-Combination177 — 7 days ago