Browse our blogs
We cover it all in The Security Blog. Discover what you’ve been looking for.
PCI DSS Vulnerability Management: The Most Misunderstood Requirement – Part 2
Risk RankingThis is part two (2) of a three (3) part series on PCI DSS version 4.0 requirement 6.3.1, for identification and management of vulnerabilities.…
PCI DSS Vulnerability Management: The Most Misunderstood Requirement – Part 1
Vulnerability IdentificationPCI DSS version 4.0 requirement 6.3.1, for identification and management of vulnerabilities, and its predecessors in previous…
A Hitch-Hacker's Guide To DACL-Based Detections - The Addendum
This blog was co-authored by TAC Practice Lead Megan Nilsen and Andrew Schwartz.1 IntroductionLast year, Andrew and I posted a four (4) part blog series…
Observations From Business Email Compromise (BEC) Attacks
Since joining TrustedSec, I have gotten to work numerous cases, and each of them is like unraveling a mystery to get at the truth—especially the situations…
From Chaos to Clarity: Organizing Data With Structured Formats
1.1 IntroductionAbout a year ago, we introduced a logging utility into our internal tooling on the Targeted Operations team to standardize how we output…
Securing Sensitive Data: How Ransomware Challenges the Healthcare Industry
The healthcare industry is a prime target for ransomware attacks due to the critical nature of its services and the sensitive data it handles. This blog post…
From Error to Entry: Cracking the Code of Password-Spraying Tools
IntroductionFirst things first, all of the tools in this blog post are really great tools and I have used most of them. (Thanks to the authors of the tools to…
Failure to Restrict URL Access: It’s Still a Thing
Here are some brief thoughts about an old issue. If you are a full-time application security professional, stop reading. You know all about this, you know…
Introducing PCI's New Self-Assessment Questionnaire
The PCI DSS 4.0 transition deadline is approaching on April 01, 2024, and we have a new type of reduced-scope self-assessment questionnaire (SAQ) to go with…
Unwelcome Guest: Abusing Azure Guest Access to Dump Users, Groups, and more
Abusing Guest Access: Dumping User Lists and Group Membership with Guest Access in Azure ADThis post will walk through a user, group, and application…
Behind the Code: Assessing Public Compile-Time Obfuscators for Enhanced OPSEC
Recently, I’ve seen an uptick in interest in compile-time obfuscation of native code through the use of LLVM. Many of the base primitives used to perform these…
Weaponization of Token Theft – A Red Team Perspective
This blog is the start of several deep dives into the weaponization of token theft. The focus of this blog will be on conditional access around devices and…
Loading...