r/Information_Security

▲ 35 r/Information_Security+5 crossposts

Got an AI agent past a Cloudflare WAF by giving it a RAG over past bypass research

Sharing a workflow that worked for me. The retrieval layer involved is my own project, so mentioning that upfront.

Setup: I was testing an XSS on a target behind Cloudflare, and every payload I tried was getting blocked by the WAF.

This time, instead of manually digging through old writeups, I gave my agent access to a retrieval layer built on top of a corpus of web security research (Preview RAG). The agent queries it in plain language, gets back actual writeups with sources attached, and uses that context to generate and test payload variants. One of those variants eventually got through and the XSS fired.

I'm not claiming the bypass itself is novel. It may already exist in a public writeup somewhere. What mattered to me was the workflow: the agent wasn't limited to whatever happened to be inside its training data. It could pull in relevant prior research and iterate from there.

That's the main reason I built this in the first place. Models have a training cutoff, but WAF evasion evolves quickly. Public bypasses get patched, new techniques appear, and the most useful information is usually the newest information. A retrieval layer helps bridge that gap.

The corpus is updated regularly and exposed over MCP, so it can be connected to any model with minimal setup, including smaller open-weight models.

Current limitations: it's strongest on client-side topics right now—XSS, WAF evasion, CSP, CORS, SSRF, request smuggling, and similar areas. Server-side coverage is improving, but still thinner, and it definitely won't have an answer for every problem.

Happy to share more about the setup. I'm honestly more interested in where this approach fails than where it succeeds. If you've experimented with agent-driven WAF bypassing and ran into hard limits, I'd love to hear about them.

u/Substantial_Kick4689 — 22 hours ago
▲ 10 r/Information_Security+5 crossposts

i need guidance what to do after i finished my firewall project.

hello guys, i just finished my first project which is a NGFW Firewall .
and after testing it on over 40 kinds of malwares it was really successful against polymorphics and other kind of malwares i need someone to guide me should i publish it as an Open-source firewall or should i wait for someone to get interested in it and maybe he could buy it from me .
.
github.com/manaf-dev1/sentinel-firewall
this is the firewall its just a readme i update everytime i accomplish something and you'll find the latest update of what i've done .
i wish if a real expert could guide me what to do with it because in my region there's no support for this kind of stuff and they're just interested in famous providers . such as PaloAlto , etc...

github.com
u/ALDulaimi-Dev — 2 days ago

Googled myself and info about my life is just sitting on the internet

so i was bored earlier and decided to look up my own name just to see what comes up. bad mistake. i am honestly kind of losing it right now because my private info is just plastered all over the internet.

this includes my current phone number, my parents' old house address from ten years ago, full names of my relatives, and random online activity i don't even remember. all sitting on these creepy people-search sites and data broker databases. i never intentionally shared any of this.

reddit.com
u/naenae0402 — 4 days ago
▲ 4 r/Information_Security+2 crossposts

Legal Security

Hey everyone,

I’m a creative who has developed an original IP. I’m looking to legally secure it so that vultures can’t backdoor me and potentially take away my hard work. I’m sure you can imagine what it would be like to work on a project for 10 years, to then present it various ways for “funding” only for everyone to deny you and then suddenly your idea pop up outta nowhere or something ODDLY similar.

I’d like to avoid that altogether as best I can and am asking anyone with an entertainment or creative background how they secured their art. Any help would be greatly appreciated. Thank you.

reddit.com
u/Thicc-tony — 3 days ago
▲ 167 r/Information_Security+7 crossposts

A searchable knowledge base of web security research, for you or your AI agent

Built a small tool web security research.

You query it in plain English and it returns actual writeups with the source URL and the exact section that matches your question. No AI summaries or made-up answers.

Right now it's focused on XSS, WAF bypasses, CSP, CORS, SSRF, request smuggling, XS-Leaks, cache poisoning, prototype pollution, JWT/auth stuff, etc. Server-side coverage is next.

I mainly built it because when I'm stuck, somebody has usually already written about a similar problem. Finding that writeup is the hard part, especially for newer techniques that general models often miss.

Would genuinely appreciate feedback on where it fails. If you try it, let me know what you searched for and whether the results were actually useful.

u/Substantial_Kick4689 — 5 days ago
▲ 0 r/Information_Security+2 crossposts

i dont feel safe until i find out who is my scammer

Hi, i was scammed in 800€ and the person blocked me and dissapeared. The police is on it but my parents are scared to open a complaint since they know who i am and are from the same country as me. im from portugal so this might be a little hard, but i have their phone number and bank account number, i wont feel rested until i find out who this person is, or at least more information about the person. i have some facebook posts and i think the police could find their ip adress trough the posts but my parents are scared they will go after me bc they know my face and all. i cant sleep thinking about this i cant rest and i need help.

reddit.com
u/Sunflower_96 — 5 days ago
▲ 14 r/Information_Security+1 crossposts

Securence possible attack/hack/security breach in progress

Several reddit visitors, including myself, have reported not being able to access the Securence management portal since Tuesday or Wednesday of last week.

Going to admin dot securence dot com you are greeted with a 503/server unavailable message.

Email is still being filtered, in and outbound, but quarantined false-positives cannot be released, nor any account changes made. Tech support claims to have no access to the portal as well.

While the company says that they are working on it, and asks that we be patient, they have also not responded when asked if there has been a security breach. They do answer the phone and reply to email, but the universal response is that they have no information from higher-up the chain to give out, and that they are in the dark themselves.

This behavior usually indicates that there has indeed been a major breach.

The previous Securence issue (in 2024) was an open public access issue, was quickly patched, and many of us considered that to be a one-off thing. The current issue "feels" more like a hack, hijacking and/or ransomware attack.

I/we have yet to find out how much data was exposed, but the process has already begun to move my accounts from Securence ASAP.

Possibly exposed data would include current and archived emails, going back several years.

reddit.com
u/MorseScience — 7 days ago
▲ 8 r/Information_Security+1 crossposts

The health platform covering 80+ countries' national disease surveillance has a basic, fixable security gap nobody's fixed

DHIS2 is the system behind malaria, TB, and immunization reporting across most of the developing world's national health ministries. It turns out the application ships with a default admin password, derived from the platform's name, and never forces anyone to change it, not at setup, not ever.

This was flagged to the team behind it in March, followed up on twice, no real response in 90 days. The fix is a single line of code, force a password change on first login, it just doesn't exist yet. Full piece here if you want the detail: https://scrutora.com/blog/dhis2-default-credentials

(I'm affiliated with the company that did this analysis, sharing because the underlying issue matters regardless of who found it.)

reddit.com
u/Hadsa_CounterStrike — 6 days ago

We have Okta, SailPoint, and a whole IAM program. We STILL find 14-month-old orphaned accounts. Has anyone actually solved this?

I've spent the past year as the guy manually hunting orphaned accounts across 24 applications, and I need to know if anyone else is living this or if it's just us.

We have Okta. We have SailPoint. We have a full IAM program. And we still find active accounts for people who left 8 months ago, because they had access to some homegrown billing tool nobody ever connected to anything. Last month security flagged an account that had been sitting active and unmonitored for 14 months after the person quit.

The issue isn't process. It's the identity infrastructure itself. Our lifecycle tooling governs accounts inside the managed estate. Anything outside it, shadow apps, legacy tools, acquired-company systems, is structurally invisible. Deprovisioning fires cleanly for the connected apps and completely ignores everything else.

I've been reading about identity fabric as an architectural concept, the idea that governance should extend across the full application estate instead of stopping at the boundary of what's been formally integrated. Sounds right in theory.

So has anyone actually implemented something that works this way in practice? Or are we all just quietly accepting that part of the estate will always be ungoverned?

reddit.com
u/Severe_Part_5120 — 7 days ago
▲ 5 r/Information_Security+5 crossposts

Phishing Awareness Survey

Hi I’m conducting a student research survey on phishing awareness and digital security. Would appreciate responses from university/college students.

the survey is fully anonymous and would only be used for research purposes

Survey link: https://forms.gle/CmKDZoi26bVPGXYA6

u/FreeLawyer4066 — 6 days ago
▲ 14 r/Information_Security+5 crossposts

Introducing FortiBleed!

The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.

Here is the damage report:

🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.

🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.

🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.

⚠️ Status: STILL active as of this publication.

Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.

Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/

#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar

u/socradario — 7 days ago

Biometric identity verification platform for high risk environments, guys please help me with your personal experience!

We operate in a high risk environment and our current biometric verification setup is starting to feel inadequate. Seeing more sophisticated spoofing attempts, edge cases our current vendor cannot handle and a manual review queue that keeps growing. High risk for us means financial fraud attempts are frequent, the cost of a false negative is significant and we cannot afford to trade accuracy for speed or UX. Need all 3! Specifically looking for something with proven liveness detection, deepfake and spoof resistance and ideally government grade biometric accuracy. Compliance across multiple jurisdictions is also non negotiable. Anyone running biometric verification in genuinely high risk production environments, what are you using and what made you stick with it?

reddit.com
u/Confident_Pin584 — 9 days ago
▲ 12 r/Information_Security+1 crossposts

Securence portal hard down

Got notified this morning by a client that the Securence portal - admin dot securence dot com - is down. It's now over 7 hours later and I've confirmed it's still down. Email and webmail deliveries appear to be unaffected but this is of major concern. Company replies to tech support emails and phone calls that they are (of course) aware of the situation but have no time to resolution.

reddit.com
u/MorseScience — 12 days ago
▲ 1 r/Information_Security+1 crossposts

I built a free tool that checks small business websites for security gaps — sharing what I'm actually finding

I built a free tool that checks small business websites for security gaps — here's what I'm finding

Over the past few months, I've been building a cybersecurity consulting practice focused on helping small businesses. As part of that work, I created a scanner that evaluates a business's public-facing security posture in under a minute.

It doesn't require any login credentials and doesn't touch private systems. It simply looks at information that's already publicly visible from the internet.

After running it against dozens of local businesses—including dental offices, restaurants, daycares, and retail stores—I've noticed a few recurring issues:

🔹 Missing email protection records (SPF, DKIM, and DMARC)

Many businesses still don't have proper email authentication configured. Without it, attackers have a much easier time sending emails that appear to come from the business's domain.

🔹 Website security certificate issues

Some sites have expired, incomplete, or misconfigured SSL/TLS certificates. In certain cases, visitors receive browser warnings before the site even loads, which can affect both trust and customer experience.

🔹 Outdated website technologies

A surprising number of websites are running older software versions that may no longer receive security updates, increasing the risk of known vulnerabilities being exploited.

🔹 Publicly exposed information

Sometimes businesses unintentionally expose information about their technology stack, software versions, or infrastructure that could help attackers identify potential weaknesses.

What stands out most is that many of these issues are relatively straightforward to fix. The challenge isn't usually the technical solution—it's simply knowing the problem exists in the first place.

I'm curious: if you own or manage a small business, have you ever had someone review your website and email security setup?

If yes, what prompted you to do it?

If not, what's the biggest reason—time, cost, uncertainty about where to start, or something else?

reddit.com
u/kavach_Cyber — 10 days ago

Audits passed and the exploits still hit

I was looking at the more well known on chain exploits last year and they feel like the same thing to me since contracts reviewed before launch and the exploit lived in conditions the audit couldn't reach.

Majority of the losses last year hit code that had already been audited which makes sense once you look at what static analysis can't cover so pre launch review catches known bug patterns but it doesn't catch what happens when the contract is live with adversarial conditions.I'm no expert but would love to hear some thoughts/solutions to this.

reddit.com
u/One-Dragonfruit-6486 — 12 days ago

What's shadow AI in practice?

we found out four months ago that a dev on our team had been feeding chunks of our internal codebase into Claude to help with refactoring. No approval, no review. Found out because he mentioned it in a code review like it was nothing.

Ran an audit after that and found four times more shadow AI tool usage than expected, ChatGPT, Gemini, AI coding assistants in VS Code like Copilot, Codeiu, and Tabnine all making external API calls, Notion AI, random browser copilots. Nobody filed a ticket and did not  review data handling terms. Just people trying to work faster.

Saw a stat recently that enterprises have zero visibility into 89% of AI tool usage despite having AI acceptable use policies in place. Felt about right after our audit.

The part that got me was the risk isn't where I was looking. I was thinking unauthorized access to corporate systems. The actual problem is what's being typed into a prompt box,  source code, customer data, API keys, internal credentials. Outside your control the moment someone hits submit. Consumer accounts on ChatGPT and Claude may use that input for model training depending on account type, enterprise accounts contractually exclude it, but most employees aren't on enterprise accounts. Proxy sees a connection to claude.ai. Has no idea what went in. Pattern-based DLP doesn't catch unstructured prompt content either, it doesn't match regex patterns for known sensitive data types.

Is this what people mean when they say shadow AI? And how are teams getting visibility into AI tool usage at the interaction level, feels like most tooling wasn't built for this, though that's starting to change.

reddit.com
u/Minute_Marsupial9740 — 12 days ago
▲ 2 r/Information_Security+3 crossposts

Red Team attacks. Blue Team defends. But who makes security compliant by design?

In cybersecurity, we usually talk about two major teams:

Red Team: simulates attacks, exploits weaknesses, and validates real-world offensive paths.
Blue Team: detects, defends, responds, and protects systems from threats.

But I think there is a third role that deserves more recognition:

Green Team: the team that implements compliance, governance, evidence, and security controls into the actual engineering process.

Because here’s the reality:

A Red Team can prove where the weaknesses are.
A Blue Team can prove how well the organization can defend.
But the Green Team helps prove that the organization has the right controls, policies, ownership, approvals, and evidence trail in place.

That means:

Red Team = Offense simulation
Blue Team = Defense simulation
Green Team = Compliance implementation

The Green Team is not just paperwork. It is about turning regulatory and security requirements into actual engineering controls:

Access control
Encryption standards
Logging and monitoring
Risk assessment
Policy enforcement
Evidence tracking
Audit readiness
Control mapping
Review cycles
Remediation ownership

u/greenarmor — 13 days ago
▲ 10 r/Information_Security+5 crossposts

Anyone exploring security challenges with agents?

Thought this might be relevant to some of the security people in the group. 

embryōnic is a venture studio that partners with problem-driven founders. We’re currently looking for founders for a cohort focused on Cybersecurity for the Agentic Web.

If you work in cybersecurity and have run into challenges with agentic systems, MCPs, agent identity, skills/prompt injections or related areas and have considered building a solution around them, we’d be interested to hear from you. We’re looking for founders who have seen these problems up close and want to solve them.

To progressively de-risk the venture, when we match, our sister company writes the first check as a SAFE - deployed across three Stage Gates, based on proof. Each gate de-risks the next: (in)validate the problem, test the core solution hypothesis, then build the Beta until the first customer pays the bill.

No need to quit your job until product-market fit signals are there. 

To apply and for more details here: https://embryonic.studio/apply 

u/embryonic_studio — 11 days ago
▲ 1 r/Information_Security+1 crossposts

3 common security blind spots I see in early-stage MERN apps (and how to fix them easily)

>Hey everyone,

I am a full-stack developer who spends a lot of time in the cybersecurity space (recently built a lab simulating full attack chains using Suricata IDS). I look at a lot of early-stage web apps, and I notice that founders often push for rapid deployment while accidentally leaving the back door wide open.

If you are building a web app or SaaS right now, check your stack for these three things:

1. Improper Authentication Checks (Broken Object Level Authorization) Just because a user is logged in doesn't mean they should be able to access user/1234. Make sure your backend explicitly verifies that the currently authenticated user actually owns the resource they are requesting.

2. Leaving MongoDB Open to the World It sounds basic, but misconfigured databases are incredibly common. Ensure your database only accepts connections from your specific backend server IP, not 0.0.0.0/0.

3. Ignoring Dependency Vulnerabilities Using npm install blindly can introduce massive risks. Make a habit of running npm audit and updating packages that have known vulnerabilities before you push to production.

Security doesn't have to slow down your MVP, but retrofitting it after a breach is a nightmare. Happy to answer any questions in the comments if anyone is currently struggling with securing their stack!

reddit.com
u/Deep_Anteater4691 — 11 days ago
▲ 17 r/Information_Security+7 crossposts

Dismantling FortiBleed: We found the Russian operation turning FortiGate firewalls into passive credential vacuums (110M+ creds harvested) 🚨

If you manage Fortinet gear, grab a coffee. You're going to need it. ☕

Our Threat Research team just published a massive teardown of a Russian compromise operation we’re tracking as FortiBleed. Active since at least February 2026, these threat actors aren't just doing simple smash-and-grabs—they’ve built a highly automated, industrialized credential-harvesting machine.

There is a special kind of irony when your firewall is the exact thing stealing your data. Here is the TL;DR of what we found under the hood:

  1. The Weapon: A custom Golang tool called "FortigateSniffer". It literally turns compromised firewalls into passive collectors, sniffing traffic across 24 different authentication protocols.
  2. The Scale: Over 430,000 FortiGate firewalls targeted. They ran 659+ harvest cycles, exposing over 110 million credentials (including RADIUS, NTLM, and Kerberos material).
  3. The Infrastructure:They aren't playing around. We mapped an isolated Kali VM lab, Hashtopolis and Hashcat GPU clusters, and rented vast(.)ai capacity used to crack hashes at scale.
  4. The Victims: The dominant profile is IT services and SMBs (under 200 employees), but they also successfully breached and exfiltrated DFS data from a NATO-aligned defense contractor.

We’ve broken down the complete 5-stage attack chain—from initial recon and brute-force to harvesting, cracking, and exfiltration.

We also dropped all the IoCs and defensive recommendations so you can set up timely alerts and mitigate risks before your network becomes a statistic.

Dive into the full teardown to help strengthen your security posture: https://hubs.la/Q04mc0fJ0

Stay sharp out there. Let us know what you think of the attack chain in the comments. 👇

reddit.com
u/socradario — 14 days ago