On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- Supply Chain AttackWordPressC2 Detection
WordPress supply-chain backdoor: the ShapedPlugin update-channel attack
A backdoor reached 3 ShapedPlugin Pro plugins through the official licensed update channel, stole admin and 2FA secrets, and self-deleted its loader. Why patch dashboards stayed green.
7 min read - Microsoft 365 CopilotPrompt InjectionZero-Click Exfiltration
SearchLeak: the one-click Copilot prompt injection that exfiltrates your mailbox
Varonis' SearchLeak (CVE-2026-42824) turned Microsoft 365 Copilot into a one-click data-theft tool. A year after EchoLeak, the same prompt-injection exfiltration pattern is back — here's why it keeps working.
8 min read - Prinz Eugen RansomwareTraffic AnalysisRansomware Detection
Prinz Eugen Ransomware Leaves No Note — and Encrypts Your Newest Files First
Prinz Eugen ransomware drops no ransom note, zeroes its own key, and encrypts your most recently used files first. Why host-side forensics miss it and wire-speed traffic ML doesn't.
8 min read - Red Team AISovereign AIOn-Premise
Mythos and the Restricted-AI Era: The Case for Sovereign, On-Premise Red-Team AI
Anthropic's Mythos — the most capable offensive AI yet built — was withheld from the public and then blocked by the US government. It proves two things every CISO needs to absorb: frontier offensive AI is now a controlled good, and red-team security is far bigger than source-code assessment. Here's the honest comparison with ZeroHunt Apex Pro on assessment and on-premise defense.
5 min read - NGINXCVE-2026-42530HTTP/3
NGINX CVE-2026-42530: Unauthenticated RCE in the Reverse Proxy in Front of Everything
F5's out-of-band patch fixes two CVSS 9.2 unauthenticated NGINX flaws — CVE-2026-42530 (HTTP/3) and CVE-2026-42055 (HTTP/2 upstream). Why an RCE in your reverse proxy is the worst kind.
7 min read - FortinetCredential TheftVPN Security
FortiBleed: 74,000 Fortinet Firewalls Leaked and Nothing to Patch
FortiBleed leaked working VPN credentials for ~74,000 Fortinet firewalls in 194 countries. No CVE to patch — the attacker logs in as a valid admin, and scanners see nothing.
7 min read - Arista EOSCVE-2026-7473Network Segmentation
Arista EOS CVE-2026-7473: An Exploited Bug With No Patch Coming
CVE-2026-7473 is on CISA KEV, actively exploited, and Arista plans no patch. Why your scanner and patch dashboard both miss this Arista EOS segmentation bypass.
7 min read - DragonForce RansomwareMicrosoft Teams C2TURN Relay Abuse
DragonForce's Backdoor.Turn: Ransomware C2 That Rides Microsoft Teams Relays
DragonForce's Backdoor.Turn tunnels ransomware C2 through legitimate Microsoft Teams TURN relays over QUIC, invisible to signature NDR. Why behavioral traffic ML is the only witness.
6 min read - FortiSandboxCVE-2026-39808Edge Appliance Security
FortiSandbox CVE-2026-39808: The Security Appliance Nobody Watches
Two FortiSandbox flaws (CVE-2026-39808, CVE-2026-39813) patched in April are now exploited in the wild. Why agentless security appliances are a detection blind spot — and how to catch their compromise.
6 min read