r/Infosec

▲ 33 r/Infosec+5 crossposts

Got an AI agent past a Cloudflare WAF by giving it a RAG over past bypass research

Sharing a workflow that worked for me. The retrieval layer involved is my own project, so mentioning that upfront.

Setup: I was testing an XSS on a target behind Cloudflare, and every payload I tried was getting blocked by the WAF.

This time, instead of manually digging through old writeups, I gave my agent access to a retrieval layer built on top of a corpus of web security research (Preview RAG). The agent queries it in plain language, gets back actual writeups with sources attached, and uses that context to generate and test payload variants. One of those variants eventually got through and the XSS fired.

I'm not claiming the bypass itself is novel. It may already exist in a public writeup somewhere. What mattered to me was the workflow: the agent wasn't limited to whatever happened to be inside its training data. It could pull in relevant prior research and iterate from there.

That's the main reason I built this in the first place. Models have a training cutoff, but WAF evasion evolves quickly. Public bypasses get patched, new techniques appear, and the most useful information is usually the newest information. A retrieval layer helps bridge that gap.

The corpus is updated regularly and exposed over MCP, so it can be connected to any model with minimal setup, including smaller open-weight models.

Current limitations: it's strongest on client-side topics right now—XSS, WAF evasion, CSP, CORS, SSRF, request smuggling, and similar areas. Server-side coverage is improving, but still thinner, and it definitely won't have an answer for every problem.

Happy to share more about the setup. I'm honestly more interested in where this approach fails than where it succeeds. If you've experimented with agent-driven WAF bypassing and ran into hard limits, I'd love to hear about them.

u/Substantial_Kick4689 — 14 hours ago
▲ 1 r/Infosec+1 crossposts

We built a continuous AI pentest platform — first full web pentest is free, no card

Traditional pentests are annual and cost $5k+, so most teams fly blind between them. We built AssurePort to run continuous AI-driven pentests across 12 surfaces (web, API, cloud, GitHub, SAP, AD, email, etc.), with a reproducible PoC on every finding so it's auditor-usable. EU-hosted, GDPR-native, and inputs never train our models. First full web pentest is free (no credit card); after that scans start at $49. We also publish our own self-pentest reports. Honest feedback welcome. https://assureport.com

u/FactorPrestigious325 — 9 hours ago
▲ 169 r/Infosec+7 crossposts

A searchable knowledge base of web security research, for you or your AI agent

Built a small tool web security research.

You query it in plain English and it returns actual writeups with the source URL and the exact section that matches your question. No AI summaries or made-up answers.

Right now it's focused on XSS, WAF bypasses, CSP, CORS, SSRF, request smuggling, XS-Leaks, cache poisoning, prototype pollution, JWT/auth stuff, etc. Server-side coverage is next.

I mainly built it because when I'm stuck, somebody has usually already written about a similar problem. Finding that writeup is the hard part, especially for newer techniques that general models often miss.

Would genuinely appreciate feedback on where it fails. If you try it, let me know what you searched for and whether the results were actually useful.

u/Substantial_Kick4689 — 5 days ago
▲ 23 r/Infosec+4 crossposts

Blind POST SSRF in phpBB 4.0.0-alhpa1 Web Push (CVD with phpBB)

Came across an article, product like phpBB still has some potential flaws.

syntetisk.tech
u/Sandwich_1337 — 5 days ago
▲ 7 r/Infosec+3 crossposts

Backend Engineers: How do fintechs practically implement DPDP Rule 6 security safeguards?

Hi everyone,

I'm working on the compliance framework for an Indian fintech (Lending Service Provider) and would like to understand how the security safeguards under Rule 6 of the DPDP Rules, 2025 are implemented in practice.

The Rule mentions encryption, masking/obfuscation, access controls, audit logs, monitoring, backups and other technical and organisational measures, but I'd like to understand how engineering teams actually build these systems.

Some questions:

1.How do Fintech typically protect sensitive data such as PAN, Aadhaar and KYC documents?

  1. Is data generally encrypted both at rest and in transit? How is key management usually handled?

  2. How are access controls implemented? Do you use Role-Based Access Control (RBAC) or something more granular?

  3. What kinds of logs are maintained for security and audit purposes? Are they application logs, database logs, audit trails or something else?

5.Do Indian fintechs commonly obtain ISO/IEC 27001 certification, or do many startups simply implement equivalent security controls without formal certification?

I'm looking for practical implementation insights from backend, security or DevSecOps engineers rather than legal interpretations.

reddit.com
u/InfamousDistrict5362 — 7 days ago
▲ 1 r/Infosec+1 crossposts

Is this system safe enough to release to production?

I built a small tool to catch infra risks before production releases
I’ve been working on a project called Beacon.
The idea came from a very practical problem I’ve seen in distributed systems: before a release, teams usually have dashboards, logs, Terraform files, Kafka configs, Kubernetes manifests, runtime snapshots, etc. But still, the actual question is usually very simple:
“Is this system safe enough to release to production?”
Beacon tries to answer that.
It scans infrastructure/config/runtime inputs and gives a production-readiness decision with ranked risks, possible root causes, and suggested next actions. Right now it has examples around Kafka, Kubernetes, Terraform, Helm, runtime snapshots, OpenTelemetry, Prometheus, Schema Registry, CI/CD, and flow degradation.
This is not meant to replace observability tools. The way I think about it is:
Observability tells you what is happening.
Beacon tries to tell you what is risky, why it matters, and what should be fixed first.
You can try the demo without setting up Python locally.
Run the UI with Docker:

docker pull ghcr.io/mishraricha1806/beacon:latest

docker run --rm -p 8765:8765 ghcr.io/mishraricha1806/beacon:latest ui --host 0.0.0.0 --port 8765

Then open:

http://127.0.0.1:8765/

For the simplest demo, use the sample bad infrastructure example from the repo:

examples/bad-infra/

In the UI, choose the static/readiness input, upload the files from that folder, run the scan, and check the readiness score, top reasons, grouped risks, and next actions.
You can also run the same demo from CLI:

docker run --rm \
  -v "$PWD:/workspace/project:ro" \
  ghcr.io/mishraricha1806/beacon:latest readiness static \
  /workspace/project/examples/bad-infra \
  --environment prod \
  --no-html \
  --no-open-report

Expected result is the tool should flag the setup as NOT READY, with risks like replication, storage/message-size, and missing governance context.
There is also a Black Friday style demo for payment/event pipeline readiness:

docker run --rm \
  -v "$PWD:/workspace/project:ro" \
  ghcr.io/mishraricha1806/beacon:latest readiness all \
  --static-path /workspace/project/examples/demo-black-friday \
  --snapshot /workspace/project/examples/demo-black-friday/runtime-snapshot.yaml \
  --environment prod \
  --no-html \
  --no-open-report

Repo: https://github.com/mishraricha1806/beacon
I’d be interested in feedback from people who work with Kafka, Kubernetes, Terraform, platform engineering, SRE, or release governance.
Mainly looking for thoughts on:

  • Does this kind of readiness gate feel useful before production releases?
  • What signals would you expect such a tool to check?
  • Would you prefer this as a CLI, CI/CD gate, or lightweight UI?

GitHub

GitHub - mishraricha1806/beacon: Detect infrastructure risks before production.

reddit.com
u/Any-Leg-7348 — 8 days ago
▲ 200 r/Infosec+6 crossposts

Do not allow Gemini on Lockscreen. Gemini bypass the unlock to access the chats history, Gemini 's photos gallery and files and some settings. Allows turn on WhatsApp integration and Gmail and Drive

u/VBarraquito — 12 days ago
▲ 268 r/Infosec+6 crossposts

NSA

BREAKING: The NSA's own director says Mythos broke into almost all of its classified systems in hours.

Per The Economist, Senator Mark Warner, vice chair of the Senate Intelligence Committee, said General Joshua Rudd, who runs the NSA and the Pentagon's Cyber Command, told him this directly.

This came out on June 11, the same day Amazon reportedly found a separate jailbreak in Anthropic's models. Within hours, Trump ordered Anthropic to cut off foreign access to Mythos and Fable.

Anthropic shut both down completely instead.

Now there are two competing stories for why this actually happened.

One says the shutdown was a response to the NSA's own classified systems getting breached in hours.

The other says Anthropic is privately pushing back, calling the jailbreak minor and the shutdown an overreaction to something other AI models can already be tricked into doing.

The NSA was already using Mythos for its own cyber operations, with Anthropic engineers embedded inside the agency. The same tool the agency was actively relying on is the one its own director says broke into almost everything it owns.

reddit.com
u/ramanpalkuri9 — 13 days ago

How do enterprises prevent AI models from leaking sensitive data?

On the technical side we’ve had to layer controls. Start by not training on, indexing, or stuffing into prompts any sensitive data that isn’t strictly required. Then narrow which models and routes can ever touch the higher‑risk buckets, scrub and tag inputs so anything coming from third parties is clearly marked, and add an explicit enforcement step on outputs that flags or blocks anything that looks like secrets or regulated information. In parallel, the organization has to pull its weight: data classification that engineers actually understand, clear guidance on which categories may reach a model at all, and review requirements for any feature that touches those categories. Without that, you’re effectively betting on every individual dev to remember an invisible boundary.

For those working under tight privacy or regulatory constraints, what additional guardrails technical or process ended up being crucial beyond the obvious “don’t train on PII”?

reddit.com
u/Ok_Abrocoma_6369 — 10 days ago
▲ 17 r/Infosec+1 crossposts

Vendor promised CVE credits on YesWeHack, paid me out (with lower payout tier), then ghosted. Now a suspiciously similar CVE dropped with credits given to Cisco Talos. What are my options?

Hi everyone,

I need advice on how to get YesWeHack staff to intervene or review a ticket, as I don't see a "Request Mediation" button on the report interface.

The Situation:

  • My Report: I submitted a Critical bug (CVSS 9.6) regarding an iOS/Android app. The vendor accepted it, paid a bounty (though underpaid by ~60% based on their own matrix), and explicitly wrote: "We will apply for a CVE on your behalf and list your name as the reporter." After the payout, they completely ghosted my follow-up messages.
  • The Suspicion: A few days ago, a public CVE dropped for the exact same app. The CVE was "Reserved" just 3 days before the vendor promised me the credits in writing.
  • The Dilemma: The public CVE credits Cisco Talos and the technical description is different from what I reported (it talks about unencrypted legacy APIs, whereas I reported a TLS chain validation flaw). However, given the identical timeline and app, I strongly suspect they might be related, or affecting the same component.

Since the vendor is ignoring my comments, I want YesWeHack to step in so I can get clear answers on whether this CVE is connected to my findings, and why the payout matrix wasn't respected.

My Question:

What is the best way to open a support ticket or call for mediation with YesWeHack staff when a vendor ghosts you? Has anyone experienced something similar?

Thanks!

reddit.com
u/allexj — 10 days ago
▲ 13 r/Infosec+1 crossposts

If you ever wanted to carve out a piece of MFT/Journal - a timeframe, path or file extensions... here's your chance

I worked in forensics for many years and one of the most annoying things in MFT/Journal analysis, is that initial work of prepping the files until they are readable by humans (size, format, timeframe). I used to export to csv, open in emeditor, then carve out the time periods I did not care about, but that took time and was not reliable.

Now, with the emergence of AI, I was finally able to create the app that does it.

It basically allows you to select a timeframe, extensions you do or do not care about, folders you wish to exclude, and go on your merry way of exporting the valid but carved out MFT for use in other tools or a CSV for use in your favorite tools, too.

As this could be a collaborative project... and I will NEVER sell it, it will remain free (and maybe even open source) - what else would you like to see in such an app? Mods, am I allowed to add a link to a free tool here?

https://preview.redd.it/smc3u9vl679h1.png?width=2470&format=png&auto=webp&s=8435e8ed9428b9d46396d069816eefe7fe631af1

I am almost certain there is no free or paid software out there that allows this kind of laser-focused carving of MFT files for speed of analysis. If the mods allow it, I'll post a link to the download. It's Freeware.

reddit.com
u/xorredd — 12 days ago
▲ 4 r/Infosec+7 crossposts

Google Cybersecurity Certificate or Redfox Cybersecurity Academy?

One gives you the basics.
The other pushes you into real labs, real tools, and real attack chains.

This blog breaks down the honest difference between beginner-friendly security awareness and hands-on technical skill-building for pentesting, red teaming, and AppSec careers.

Read now: https://www.redfoxsec.com/blog/google-cybersecurity-certification-vs-redfox-cybersecurity-academy-an-honest-comparison

u/redfoxsecurity — 12 days ago
▲ 2 r/Infosec+3 crossposts

Red Team attacks. Blue Team defends. But who makes security compliant by design?

In cybersecurity, we usually talk about two major teams:

Red Team: simulates attacks, exploits weaknesses, and validates real-world offensive paths.
Blue Team: detects, defends, responds, and protects systems from threats.

But I think there is a third role that deserves more recognition:

Green Team: the team that implements compliance, governance, evidence, and security controls into the actual engineering process.

Because here’s the reality:

A Red Team can prove where the weaknesses are.
A Blue Team can prove how well the organization can defend.
But the Green Team helps prove that the organization has the right controls, policies, ownership, approvals, and evidence trail in place.

That means:

Red Team = Offense simulation
Blue Team = Defense simulation
Green Team = Compliance implementation

The Green Team is not just paperwork. It is about turning regulatory and security requirements into actual engineering controls:

Access control
Encryption standards
Logging and monitoring
Risk assessment
Policy enforcement
Evidence tracking
Audit readiness
Control mapping
Review cycles
Remediation ownership

u/greenarmor — 13 days ago
▲ 25 r/Infosec+8 crossposts

Gottheimer readies AI bill to vet powerful AI models for risk - The New Jersey Democrat says advanced AI models should face mandatory government reviews for national security, critical infrastructure and bioterror risks.

politico.com
u/EchoOfOppenheimer — 12 days ago