I find a sudo misconfiguration on at least half of the Linux systems I assess. Not because organisations are careless — most have intentional sudo rules for legitimate operational reasons. The problem is that those rules were written by someone who understood the intended use case but didn't know about GTFOBins. Every sudo rule that lets a user run a binary capable of spawning a shell, reading arbitrary files, or writing to privileged paths is a potential privilege escalation path.…
Tuesday, May 19, 2026
AI-Powered Exploit Code Generation — From CVE to PoC in Seconds
My workflow for analysing a new CVE used to take three to four hours from reading the advisory to having a working proof-of-concept for lab testing. In 2026, the same workflow takes forty minutes, and most of that is environment setup, not code. AI tools have changed the PoC development phase specifically — reading the vulnerability description, understanding the affected code path, and drafting the initial exploit structure are now tasks where an LLM provides the first draft that I…
AI Jailbreaking — Complete Guide to Safety Training Bypass, DAN Variants and Token-Level Attacks | Day15
🤖 AI/LLM HACKING COURSE FREE Part of the AI/LLM Hacking Course — 90 Days Day 15 of 90 · 16.6% complete ⚠️ Responsible Research Only: AI Jailbreaking techniques are covered here for authorised red team assessments and security research purposes. The goal of jailbreak testing on an engagement is to demonstrate bypass capability and measure safety robustness — not to produce or distribute harmful content. Never use jailbreaking techniques to generate content that would cause real-world harm. SecurityElites.com accepts no…
How AI and LLMs are discovering zero-days faster than human researchers in 2026
In 2024, a research team at Google DeepMind used an AI system called AlphaCode 2 to discover a zero-day vulnerability in the SQLite database. The system identified a buffer overflow that had been present in the codebase for years and had been missed by decades of human review and traditional fuzzing. My framing on AI vulnerability discovery: the human researcher is no longer the rate-limiting factor in finding bugs. The rate-limiting factor is now compute and clever prompting. For bug…
Monday, May 18, 2026
What Is AI Red Teaming — The Beginner’s Complete Breakdown
⚠️ Professional Practice Only: AI red teaming is a professional security discipline. All techniques, frameworks, and methodologies covered here are for application in authorised security engagements only. Unauthorised security testing of any system is illegal. I got asked to run an "AI red team" for a financial services client last year. Their definition of what they wanted was, roughly: "hack our AI and tell us if it's safe." My definition, developed over a dozen prior engagements, was something considerably more…
15 AI Hacking Tools Every Security Researcher Uses in 2026
⚠️ Authorised Use Only: All tools listed here are for authorised security research only. Never run security tools against systems you don't own or haven't received explicit written permission to test. Last week I ran a full AI security assessment in four hours — from initial scope review to a complete findings report with three confirmed vulnerabilities. The entire thing was automated down to the tool configuration. That's not because I'm exceptional. It's because I've spent two years building and…
LLM10 Unbounded Consumption — Token DoS, API Cost Attacks and Model Extraction | Day14
🤖 AI/LLM HACKING COURSE FREE Part of the AI/LLM Hacking Course — 90 Days Day 14 of 90 · 15.5% complete ⚠️ Authorised Targets Only: LLM10 consumption testing — particularly token DoS and cost amplification — must only be performed against systems you have explicit written authorisation to test, and only to the extent necessary to demonstrate the vulnerability. Never run automated high-volume attacks against production systems even within scope — agree a controlled test window with the engagement contact…
Subscribe to:
Posts (Atom)