How has AI-assisted development impacted secrets leakage?

Vibe coding with AI is fast, but how can we make it safer

The present and future of security for the Model Context Protocol.

Infographic with five new facts about the tj-actions attack.

Build resilient GitHub Actions workflows with lessons from recent attacks.

Disclosure and discussion of CVE-2025-30154 in action-setup.

A comprehensive methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions

Using the tj-actions/changed-files incident to expose the raw reality of rapid response research in cloud security

Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.

A talk expanding on the ideas first shared in ramimac.me/scorecarding

Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.

A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there

Cloud Security's overlap with FinOps benefits.

Exploring the many (many) ways you can delete resources in AWS

A framework for understanding where your organization sits in its security canary journey

A guide to tools for creating AWS IAM service roles.

A guide to tools for auditing AWS IAM.

Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams

Responsibly disclosing risks in using SSM Command Docs for software distribution.

Examining why GuardDuty alone probably isn't enough for AWS threat detection

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

Deep dive into publicly exposed AWS DocumentDB snapshots, including a disclosure affecting millions of Cinemark customers

How to use Semgrep for Terraform security - from evangelizing secure-by-default modules to catching subtle IaC footguns

What happens when you leak AWS keys on GitLab instead of GitHub? Spoiler - nobody cared

Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better

A curated set of references to bootstrap your work on any of Daniel Grzelak's 15 cloud security research ideas

Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor

A simple Terraform trick to minify SCPs and stay under AWS character limits

Introducing a fifth AWS-specific phishing attack via SES email verification

A rapid fire tour of problems you'll encounter scaling a cloud security program past Scott Piper's AWS Security Maturity Roadmap

A surprising SSM default that can grant shell access when you only intended port forwarding

A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding

A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy

Practical guidance on when to use S3 Access Logs vs CloudTrail Data Events, and how to operationalize each

How to use Service Control Policies to allowlist AWS regions and services, dramatically reducing attack surface

A refresher on the risks and threat model of AWS Lambda

A look at what AWS could (and should) do to harden their SSO device code authentication flow against phishing

Four AWS-specific phishing vectors beyond commodity credential theft, including SSO device code and CloudFormation attacks

Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments

A methodology for rapidly orienting yourself in unfamiliar cloud environments and prioritizing the risks that matter

A BSidesCT talk analyzing over a dozen public AWS breaches, common root causes, and how to proactively secure your environment

A BSides Boston talk covering quick AWS security improvements for any organization plus big-picture considerations for enterprise environments

A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance

A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide

A BSidesCT talk on securing AWS environments, covering the shared responsibility model and open-source auditing tools like ScoutSuite

Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training

A 4-hour workshop from BASC 2019 covering the AWS shared responsibility model, open-source auditing tools, and hands-on CloudGoat exercises

Study notes from the CSA Security Guidance covering cloud concepts, governance, legal, compliance, and infrastructure security

Study notes from the ENISA cloud security report, covering risks, vulnerabilities, and information assurance requirements

Why I decided to pursue a part-time online master's degree in Information Security Leadership while working full-time as a pentester

Cloud Security's overlap with FinOps benefits.

A playbook for evaluating S3 Intelligent Tiering with napkin math, plus tips for derisking the migration

Adding a "Send Responses to Comparer" feature to the Autorize Burp extension for faster authorization testing triage

A rundown of Android security testing tools and methods, from Manitree and MobSF to drozer and manual testing

Fixing a false positive in MobSF's APK certificate analysis by checking the manifest for SHA256 usage

Adding optional flags to the S3 bucket enumeration tool for filtering private bucket output and controlling wordlist permutations

A small fix to aquatone's subdomain takeover detection for CloudFront, checking both HTTP and HTTPS

A guide to tools for creating AWS IAM service roles.

A guide to tools for auditing AWS IAM.

Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better

Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor

A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding

A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance

Dozens of hours reading State of Cloud Security reports that I think miss the mark.

Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.

A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives

Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams

Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard

Walking through the history and challenges of the RASP market, and whether the new ADR acronym will fare any better

Why there are so many *AST and *SPM startups, and why they keep getting acquired

How startups can build customer love and achieve rapid growth by word of mouth

Security’s pivot from 'Department of No' to 'Department of Yes' misses the real lesson - how to say 'No' the right way.

When should you hire that first security person?

A survey of approaches to scorecarding in security programs.

Practical tips for handling security alerts when you don't have a dedicated SOC

Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us

Security Engineering is mainstream in certain circles - here's what we can learn from the challenges

Summarizing Wiring the Winning Organization and applying the lessons to security programs

Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action

First security hire is a weird job - here's a counterfactual guide on what to avoid

A comprehensive methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions

Are agentic browsers the new Flash? A 2025 review of new attacks, vendor security layers, and a roadmap for navigating AI browser risks.

Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.

Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.

I am annoyed at the common traps security vendors fall into when producing research.

How secure are top private AI companies? Find out from our scans and disclosures.

Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.

A visual analysis of the Shai-Hulud attack.

Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.

Using the tj-actions/changed-files incident to expose the raw reality of rapid response research in cloud security

A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.

Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.

Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.

How has AI-assisted development impacted secrets leakage?

Vibe coding with AI is fast, but how can we make it safer

Infographic with five new facts about the tj-actions attack.

A talk expanding on the ideas first shared in ramimac.me/scorecarding

How to analyze and prioritize CVEs in cloud security.

Build resilient GitHub Actions workflows with lessons from recent attacks.

The present and future of security for the Model Context Protocol.

Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.

Disclosure and discussion of CVE-2025-30154 in action-setup.

I'm joining the leading cloud security startup, hoping to "work for the Security Industry, at Wiz."

Security’s pivot from 'Department of No' to 'Department of Yes' misses the real lesson - how to say 'No' the right way.

Dozens of hours reading State of Cloud Security reports that I think miss the mark.

When should you hire that first security person?

Doing security well? Then here are some tricks for pushing through the security questionnaire quagmire.

A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there

Cloud Security's overlap with FinOps benefits.

A survey of approaches to scorecarding in security programs.

Exploring the many (many) ways you can delete resources in AWS

A framework for understanding where your organization sits in its security canary journey

A guide to tools for creating AWS IAM service roles.

A guide to tools for auditing AWS IAM.

Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams

Responsibly disclosing risks in using SSM Command Docs for software distribution.

A spoiler-heavy walkthrough of Wiz's promptairlines.com

Practical tips for handling security alerts when you don't have a dedicated SOC

Examining why GuardDuty alone probably isn't enough for AWS threat detection

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

Expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives

Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams

Four controls platforms can use when building a custom-domain feature to make it resilient to subdomain takeover down the road

Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard

Walking through the history and challenges of the RASP market, and whether the new ADR acronym will fare any better

Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us

Security Engineering is mainstream in certain circles - here's what we can learn from the challenges

Deep dive into publicly exposed AWS DocumentDB snapshots, including a disclosure affecting millions of Cinemark customers

Summarizing Wiring the Winning Organization and applying the lessons to security programs

Why there are so many *AST and *SPM startups, and why they keep getting acquired

Every practical and proposed defense against prompt injection

How to use Semgrep for Terraform security - from evangelizing secure-by-default modules to catching subtle IaC footguns

What happens when you leak AWS keys on GitLab instead of GitHub? Spoiler - nobody cared

Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action

First security hire is a weird job - here's a counterfactual guide on what to avoid

Awesome secure by default libraries to help you eliminate bug classes

How startups can build customer love and achieve rapid growth by word of mouth

A playbook for evaluating S3 Intelligent Tiering with napkin math, plus tips for derisking the migration

Revisiting Scott Piper's 2020 analysis of AWS ABAC - things are only a little better

A curated set of references to bootstrap your work on any of Daniel Grzelak's 15 cloud security research ideas

Use Steampipe queries to identify and reduce over-privileged IAM permissions with Access Advisor

A simple Terraform trick to minify SCPs and stay under AWS character limits

From Turing tests to Private Access Tokens - tracing nearly 30 years of human interaction proofs

Introducing a fifth AWS-specific phishing attack via SES email verification

A rapid fire tour of problems you'll encounter scaling a cloud security program past Scott Piper's AWS Security Maturity Roadmap

A surprising SSM default that can grant shell access when you only intended port forwarding

A practical walkthrough for setting up RDS IAM Authentication with a bastion host and SSM port forwarding

A deep dive guide to securely building product features on top of AI APIs

A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy

Video of my BSidesSF 2023 panel appearance

Analyzing the RSA Innovation Sandbox finalists for Return on Security

Practical guidance on when to use S3 Access Logs vs CloudTrail Data Events, and how to operationalize each

How to use Service Control Policies to allowlist AWS regions and services, dramatically reducing attack surface

Curated guides for handling security at a startup or as the first security hire

A refresher on the risks and threat model of AWS Lambda

A look at what AWS could (and should) do to harden their SSO device code authentication flow against phishing

Four AWS-specific phishing vectors beyond commodity credential theft, including SSO device code and CloudFormation attacks

Looking back at the notable public cloud breaches of 2022 with Houston Hopkins

Collected stories and insights from Staff+ Security Engineers on their career paths and work

A practical guide to purchasing and extracting value from security services like pentests

A curated meta-database of resources that compile lists of security incidents and breaches

Runbooks for removing secrets and sensitive data from Git history, whether in a PR or merged to main

A comprehensive guide to buying and getting value from security services, from scoping to vendor selection to assessment readout

Nearly 200 references compiled for my BSidesSF talk and tldrsec guide on buying security services

Walkthrough of 20+ real AWS breaches, their root causes, and lessons learned for proactive defense

How we defined security team values at Cedar and the process we used to get there

Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments

A methodology for rapidly orienting yourself in unfamiliar cloud environments and prioritizing the risks that matter

A BSidesCT talk analyzing over a dozen public AWS breaches, common root causes, and how to proactively secure your environment

A BSides Boston talk covering quick AWS security improvements for any organization plus big-picture considerations for enterprise environments

A survey of open-source tools for AWS IAM security, from PMapper and Parliament for assessment to Policy Sentry and Repo Kid for maintenance

A compendium of OAuth 2.0 Authorization Code grant vulnerabilities that can be identified from an end-user perspective

Study notes from the CSA Security Guidance covering cloud concepts, governance, legal, compliance, and infrastructure security

Study notes from the ENISA cloud security report, covering risks, vulnerabilities, and information assurance requirements

Why I decided to pursue a part-time online master's degree in Information Security Leadership while working full-time as a pentester

A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide

Adding a "Send Responses to Comparer" feature to the Autorize Burp extension for faster authorization testing triage

A BSidesCT talk on securing AWS environments, covering the shared responsibility model and open-source auditing tools like ScoutSuite

Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training

A 4-hour workshop from BASC 2019 covering the AWS shared responsibility model, open-source auditing tools, and hands-on CloudGoat exercises

Part 3 of a three-part guide focusing on hardening Chrome browser configuration for enterprise deployments

Part 2 of a three-part guide focused on hardening the ChromeOS configuration for enterprise use

Part 1 of a three-part guide covering the baseline device security posture for enterprise Chromebooks

Using the Shodan API to find and analyze typos in HTTP security headers across the internet

A rundown of Android security testing tools and methods, from Manitree and MobSF to drozer and manual testing

Fixing a false positive in MobSF's APK certificate analysis by checking the manifest for SHA256 usage

Adding optional flags to the S3 bucket enumeration tool for filtering private bucket output and controlling wordlist permutations

A small fix to aquatone's subdomain takeover detection for CloudFront, checking both HTTP and HTTPS

Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.

Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.

Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.

A visual analysis of the Shai-Hulud attack.

Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.

A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.

Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.

Infographic with five new facts about the tj-actions attack.

Disclosure and discussion of CVE-2025-30154 in action-setup.

Are agentic browsers the new Flash? A 2025 review of new attacks, vendor security layers, and a roadmap for navigating AI browser risks.

Wiz Research reveals the data behind Shai-Hulud's 2.0 long tail, the massive gap in cloud credential rotation, a potential link to the Trust Wallet incident, and how we finally "snipped the tail" on a month of ongoing infections.

Shai-Hulud 2.0 supply chain attack - reviewing the infection spread, victimology, leaked secrets distribution, and community response so far.

How secure are top private AI companies? Find out from our scans and disclosures.

Wiz Research has uncovered 550+ secrets hiding in plain sight. We worked with Microsoft to shut the door.

A visual analysis of the Shai-Hulud attack.

Detect and mitigate a critical supply chain compromise affecting over 100+ packages, organizations should act urgently.

A deeper look at the Nx supply chain attack. Analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation.

Detect and mitigate a critical supply chain compromise affecting the Nx NPM Package. Organizations should act urgently.

Tips and tricks for handling the fact that conference talks and engineering blogs are often quilted from small omissions and half-truths.

How has AI-assisted development impacted secrets leakage?

Vibe coding with AI is fast, but how can we make it safer

Infographic with five new facts about the tj-actions attack.

A talk expanding on the ideas first shared in ramimac.me/scorecarding

How to analyze and prioritize CVEs in cloud security.

Build resilient GitHub Actions workflows with lessons from recent attacks.

The present and future of security for the Model Context Protocol.

Learn how AWS VPC Endpoint CloudTrail logs can help you troubleshoot endpoint policies and strengthen your network's security against data exfiltration.

Disclosure and discussion of CVE-2025-30154 in action-setup.

A dense, practical walkthrough of scaling cloud security programs, distilled from the best talks and posts out there

Exploring the many (many) ways you can delete resources in AWS

A framework for understanding where your organization sits in its security canary journey

Breaking down three sophisticated cloud threat actors and how canary infrastructure could detect them, with diagrams

Practical tips for handling security alerts when you don't have a dedicated SOC

Examining why GuardDuty alone probably isn't enough for AWS threat detection

Documenting a minor AWS vulnerability where the RDS snapshot public sharing confirmation checkbox wasn't actually enforced

A universal theory for incrementally moving a cloud-native org to Zero Touch Prod, with AWS production access primitives

Why the security industry lacks small vendors fixing undifferentiated problems, plus 5 fixable gaps for security teams

Secure by Design is trending but we haven't seen a breakout startup - what makes selling secure defaults hard

Asymmetric workloads are a double-edged sword - security can add outsized costs on orgs just as orgs can on us

Security Engineering is mainstream in certain circles - here's what we can learn from the challenges

Summarizing Wiring the Winning Organization and applying the lessons to security programs

Every practical and proposed defense against prompt injection

Cross-company collaboration in security is rarely zero sum - a practical guide and call-to-action

Awesome secure by default libraries to help you eliminate bug classes

How startups can build customer love and achieve rapid growth by word of mouth

A deep dive guide to securely building product features on top of AI APIs

A rapid fire tour of problems you'll encounter scaling a cloud security program, with opinions on build vs buy

Curated guides for handling security at a startup or as the first security hire

A refresher on the risks and threat model of AWS Lambda

Looking back at the notable public cloud breaches of 2022 with Houston Hopkins

Collected stories and insights from Staff+ Security Engineers on their career paths and work

A practical guide to purchasing and extracting value from security services like pentests

Walkthrough of 20+ real AWS breaches, their root causes, and lessons learned for proactive defense

How we defined security team values at Cedar and the process we used to get there

Written companion to my DEFCON Cloud Village talk on getting your bearings in novel cloud environments

A compendium of OAuth 2.0 Authorization Code grant vulnerabilities that can be identified from an end-user perspective

A curated collection of the best non-Amazon resources for learning AWS security, extending the official Ramp-Up Guide

Announcing sadcloud, a Terraform tool for spinning up intentionally insecure AWS environments for testing and training

Part 3 of a three-part guide focusing on hardening Chrome browser configuration for enterprise deployments

Part 2 of a three-part guide focused on hardening the ChromeOS configuration for enterprise use

Part 1 of a three-part guide covering the baseline device security posture for enterprise Chromebooks

Using the Shodan API to find and analyze typos in HTTP security headers across the internet