Browse our blogs
We cover it all in The Security Blog. Discover what you’ve been looking for.
NIST CSF 2.0 Ratings and Assessment Methodologies for Scorecards – When the Math isn’t “Mathing”
As a Senior Security Consultant and National Institute of Standards and Technology (NIST) expert, the question I get asked the most is, how do we compare…
Attacking JWT using X509 Certificates
Take a closer look at JWT signature verification using X.509 headers as we walk through an attack and demonstrate a Burp extension to exploit a known…
Dragging Secrets Out of Chrome: NTLM Hash Leaks via File URLs
Figure 1 - We take our work very seriously. Capturing Hashes with DragonHashChromium-based browsers have an odd feature set that allows extensive drag-and-drop…
Hunting Deserialization Vulnerabilities With Claude
In this post, we are going to look at how we can find zero-days in .NET assemblies using Model Context Protocol (MCP).SetupBefore we can start vibe hacking, we…
Common Mobile Device Threat Vectors
Mobile devices are a must have in today’s world for communication. With that being said, these devices do come with some risks when it comes to personal data.…
Full Disclosure, GraphGhost: Are You Afraid of Failed Logins?
Another year, another vuln…It's that time again.Last year I disclosed the existence of GraphNinja - a (now fixed) vulnerability in Azure where you could…
Teaching a New Dog Old Tricks - Phishing With MCP
As AI evolves with MCP, can a new “dog” learn old tricks? In this blog, we test Claude AI’s ability to craft phishing pretexts—and just how much effort it…
Apples, Pears, and Oranges: Not All Pentest Firms Are the Same
Penetration testing is not a commodity service. If you are a procurer of penetration tests and have ever received wildly different quotes for the "same"…
AppSec Cheat Sheet: Session Management
Session Management Testing - CookiesThe Cheat Sheet section is for quick reference and to make sure steps don’t get missed.The Learn section is for those who…
Red Team Gold: Extracting Credentials from MDT Shares
When it comes to targeting enterprise deployment infrastructure during a Red Team engagement, SCCM (System Center Configuration Manager) tends to get all the…
Purpling Your Ops
How does one Purple Team? TAC Practice Lead Megan Nilsen shares open-source tools, techniques, and tips for security practitioners exploring Purple Teaming,…
I Got 99 Problems But a Log Ain’t One
1.1 IntroductionHere at TrustedSec, one of the goals of the Tactical Awareness & Countermeasures (TAC) team is to assess and enhance our partners' security…
NIST CSF 2.0 Ratings and Assessment Methodologies for Scorecards – When the Math isn’t “Mathing”
As a Senior Security Consultant and National Institute of Standards and Technology (NIST) expert, the question I get asked the most is, how do we compare…
Attacking JWT using X509 Certificates
Take a closer look at JWT signature verification using X.509 headers as we walk through an attack and demonstrate a Burp extension to exploit a known…
Dragging Secrets Out of Chrome: NTLM Hash Leaks via File URLs
Figure 1 - We take our work very seriously. Capturing Hashes with DragonHashChromium-based browsers have an odd feature set that allows extensive drag-and-drop…
Hunting Deserialization Vulnerabilities With Claude
In this post, we are going to look at how we can find zero-days in .NET assemblies using Model Context Protocol (MCP).SetupBefore we can start vibe hacking, we…
Common Mobile Device Threat Vectors
Mobile devices are a must have in today’s world for communication. With that being said, these devices do come with some risks when it comes to personal data.…
Full Disclosure, GraphGhost: Are You Afraid of Failed Logins?
Another year, another vuln…It's that time again.Last year I disclosed the existence of GraphNinja - a (now fixed) vulnerability in Azure where you could…
Teaching a New Dog Old Tricks - Phishing With MCP
As AI evolves with MCP, can a new “dog” learn old tricks? In this blog, we test Claude AI’s ability to craft phishing pretexts—and just how much effort it…
Apples, Pears, and Oranges: Not All Pentest Firms Are the Same
Penetration testing is not a commodity service. If you are a procurer of penetration tests and have ever received wildly different quotes for the "same"…
AppSec Cheat Sheet: Session Management
Session Management Testing - CookiesThe Cheat Sheet section is for quick reference and to make sure steps don’t get missed.The Learn section is for those who…
Red Team Gold: Extracting Credentials from MDT Shares
When it comes to targeting enterprise deployment infrastructure during a Red Team engagement, SCCM (System Center Configuration Manager) tends to get all the…
Purpling Your Ops
How does one Purple Team? TAC Practice Lead Megan Nilsen shares open-source tools, techniques, and tips for security practitioners exploring Purple Teaming,…
I Got 99 Problems But a Log Ain’t One
1.1 IntroductionHere at TrustedSec, one of the goals of the Tactical Awareness & Countermeasures (TAC) team is to assess and enhance our partners' security…
Loading...