On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- Exploit ValidationExposure ManagementEvidence-Based Security
Exploit Validation: Evidence Beats Estimate, But Whose Cloud Runs the Proof?
In March 2026 Qualys shipped Agent Val, conceding that CVSS scores are guesses. Evidence-based vulnerability management is right — but whose cloud runs the proof?
7 min read - Microsoft DefenderPrivilege EscalationRoguePlanet
RoguePlanet: The Microsoft Defender Zero-Day That Hands Attackers SYSTEM
RoguePlanet (CVE-2026-50656) is a Microsoft Defender race condition that spawns a SYSTEM shell on fully patched Windows. Why the detector becoming the attack surface breaks host-based defence.
8 min read - ShareFileNIS2 Breach ReportingData Exfiltration
ShareFile Shutdown: Reporting a Breach With No CVE, No Patch, No IOCs
Progress told ShareFile admins to power off their Storage Zone Controllers over a credible threat — no CVE, no patch, no IOCs. How to hunt, contain, and file a NIS2 breach report while blind.
9 min read - ZimbraWebmail XSSData Exfiltration
Zimbra Webmail XSS: The Crafted Email That Empties the Mailbox
Google TAG flagged a stored XSS in Zimbra's Classic Web Client, fixed in ZCS 10.1.19. No CVE, no CVSS — and the crafted email is not the part you'll catch. Here's the runbook.
8 min read - JoomlaFile Upload RCEWeb Shell
Joomla Page Builder RCE: CVE-2026-48908 and the Web Shell You Already Have
Two CVSS 10.0 file-upload bugs in Joomla page builders (CVE-2026-48908, CVE-2026-56290) are mass-exploited to drop web shells and hidden admins — patching won't evict them.
8 min read - Gitea CVE-2026-20896Auth BypassSupply Chain Security
Gitea CVE-2026-20896: One HTTP Header Owns Your Source-Control Server
CVE-2026-20896 lets an unauthenticated attacker spoof a single HTTP header and impersonate any Gitea admin — reading private repos, committed secrets and deploy keys. Here is the fix.
8 min read - RMM SecurityMSP Supply ChainCISA KEV
SimpleHelp RMM CVE-2026-48558: The Forged Token That Becomes Your Technician
CVE-2026-48558 lets attackers forge an OIDC token and mint a privileged SimpleHelp RMM technician — the one identity your EDR is built to trust. Why patching alone leaves the door open.
7 min read - AI RansomwareAgentic AILangflow
JADEPUFFER: Agentic Ransomware That Ran the Whole Attack Itself
JADEPUFFER is the first documented agentic ransomware — an AI agent ran recon, pivot, and encryption end-to-end, fixing a failed login in 31 seconds. Here is the runbook.
8 min read - CitrixBleedNetScalerSession Hijacking
CitrixBleed Again: CVE-2026-8451 and the Token You Already Lost
CVE-2026-8451 is a pre-auth NetScaler memory overread exploited within 24 hours. Patching stops the leak — it does not evict the session tokens attackers already stole.
8 min read