Dhruv AHUJA
@new23d.bsky.social
Making network egress filtering effective, reliable and usable. Founder & Chief Engineer at @chasersystems.bsky.social
Blog: https://www.new23d.com/
Blog: https://www.new23d.com/
Pinned
Dhruv AHUJA
@new23d.bsky.social
· Nov 7
Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech - Dhruv AHUJA
YouTube video by fwd:cloudsec
www.youtube.com
My 20-minute talk "Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech", dissecting DNS over HTTPS and #TLS (e)SNI, at @fwdcloudsec Boston in '22. Link to #DoH IPs feed for #GuardDuty embedded in slides. DM for slides.
www.youtube.com/watch?v=DKSa...
www.youtube.com/watch?v=DKSa...
We dug deeper into data & telemetry sent #outbound by #Cursor, #Claude, #Copilot and 4 other agent editors, so you can make an informed choice. With the IOCs revealed, you can also monitor for shadow IT usage of these in your corporate/cloud networks.
chasersystems.com/blog/what-da...
chasersystems.com/blog/what-da...
November 11, 2025 at 12:17 PM
We dug deeper into data & telemetry sent #outbound by #Cursor, #Claude, #Copilot and 4 other agent editors, so you can make an informed choice. With the IOCs revealed, you can also monitor for shadow IT usage of these in your corporate/cloud networks.
chasersystems.com/blog/what-da...
chasersystems.com/blog/what-da...
Reposted by Dhruv AHUJA
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
November 7, 2025 at 4:57 PM
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Solid work done by the team 💪. If you use agentic editors in your work, this is a must read. Only took two months of research.
What data do coding agents send, and where to?
Our report seeks to answer some of our questions for the most popular coding agents. Incidentally, a side-effect was running into OWASP LLM07:2025 System Prompt Leakage. You can see the system prompts in the appendix.
chasersystems.com/blog/what-da...
Our report seeks to answer some of our questions for the most popular coding agents. Incidentally, a side-effect was running into OWASP LLM07:2025 System Prompt Leakage. You can see the system prompts in the appendix.
chasersystems.com/blog/what-da...
November 4, 2025 at 12:20 PM
Solid work done by the team 💪. If you use agentic editors in your work, this is a must read. Only took two months of research.
The Pyramid of Pain [1] from over a decade ago is still 🎯. Block TTPs, Tools and Artifacts if you can detect them. Allow only trusted Domain Names and IP Addresses, in an otherwise default deny mode. Hashes just contribute to climate change. This graphic helps me at...
October 31, 2025 at 9:49 AM
The Pyramid of Pain [1] from over a decade ago is still 🎯. Block TTPs, Tools and Artifacts if you can detect them. Allow only trusted Domain Names and IP Addresses, in an otherwise default deny mode. Hashes just contribute to climate change. This graphic helps me at...
"Aston Martin now able to ship cars to US at lower tariff rate without hitting quota limit following JLR hack" 🤦
you couldn't make this up
www.ft.com/content/c08f...
you couldn't make this up
www.ft.com/content/c08f...
October 29, 2025 at 11:33 AM
"Aston Martin now able to ship cars to US at lower tariff rate without hitting quota limit following JLR hack" 🤦
you couldn't make this up
www.ft.com/content/c08f...
you couldn't make this up
www.ft.com/content/c08f...
More stock is on the way. Looks like we can keep this offer open for another week.
Looking at us-east-1 this morning like... 👀
We're giving away 1,000 of our "It's always DNS" stickers and sticky-notes to decorate your laptops! Fill in the linked form below and we'll get it mailed directly to you, wherever you are in the world.
forms.office.com/e/14jHFdU9Kv
#aws #itsalwaysdns
We're giving away 1,000 of our "It's always DNS" stickers and sticky-notes to decorate your laptops! Fill in the linked form below and we'll get it mailed directly to you, wherever you are in the world.
forms.office.com/e/14jHFdU9Kv
#aws #itsalwaysdns
October 29, 2025 at 9:01 AM
More stock is on the way. Looks like we can keep this offer open for another week.
"The result is that there is often an inverse correlation between the size of an organization and how rapidly it installs patches." 💯
www.cs.columbia.edu/~smb/blog/20...
www.cs.columbia.edu/~smb/blog/20...
SMBlog -- 12 May 2017
www.cs.columbia.edu
October 26, 2025 at 6:47 PM
"The result is that there is often an inverse correlation between the size of an organization and how rapidly it installs patches." 💯
www.cs.columbia.edu/~smb/blog/20...
www.cs.columbia.edu/~smb/blog/20...
11:48 PM PDT Oct 19 ➡ 12:38 AM Oct 20 = 50 minutes. That's how long AWS took to "our engineers had identified DynamoDB’s DNS state as the source of the outage".
This is impressive, and evidence of "tribal knowledge" NOT having departed. IYKYK.
I only wish they used UTC 🇬🇧
This is impressive, and evidence of "tribal knowledge" NOT having departed. IYKYK.
I only wish they used UTC 🇬🇧
October 23, 2025 at 10:18 AM
11:48 PM PDT Oct 19 ➡ 12:38 AM Oct 20 = 50 minutes. That's how long AWS took to "our engineers had identified DynamoDB’s DNS state as the source of the outage".
This is impressive, and evidence of "tribal knowledge" NOT having departed. IYKYK.
I only wish they used UTC 🇬🇧
This is impressive, and evidence of "tribal knowledge" NOT having departed. IYKYK.
I only wish they used UTC 🇬🇧
These were in solid demand at our @fwdcloudsec.org booth earlier this year and we couldn't help but spread the love among AWS users today. Get yours in the post. #us_east_1 #dns (GCP, Azure, etc peeps can also fill the form 😛 )
Looking at us-east-1 this morning like... 👀
We're giving away 1,000 of our "It's always DNS" stickers and sticky-notes to decorate your laptops! Fill in the linked form below and we'll get it mailed directly to you, wherever you are in the world.
forms.office.com/e/14jHFdU9Kv
#aws #itsalwaysdns
We're giving away 1,000 of our "It's always DNS" stickers and sticky-notes to decorate your laptops! Fill in the linked form below and we'll get it mailed directly to you, wherever you are in the world.
forms.office.com/e/14jHFdU9Kv
#aws #itsalwaysdns
October 20, 2025 at 11:25 AM
These were in solid demand at our @fwdcloudsec.org booth earlier this year and we couldn't help but spread the love among AWS users today. Get yours in the post. #us_east_1 #dns (GCP, Azure, etc peeps can also fill the form 😛 )
It's always DNS.
Or us-east-1.
Or us-east-1.
October 20, 2025 at 9:22 AM
It's always DNS.
Or us-east-1.
Or us-east-1.
The UK ICO has fined Capita £14 million. Lots of juicy details in the doc re #ransomware components used: QakBot, Cobalt Strike, Bloodhound, SystemBC. The threat actor was able to laterally move and establish persistence before the SOC got around to the alerts. They had a C2...
October 16, 2025 at 7:51 AM
The UK ICO has fined Capita £14 million. Lots of juicy details in the doc re #ransomware components used: QakBot, Cobalt Strike, Bloodhound, SystemBC. The threat actor was able to laterally move and establish persistence before the SOC got around to the alerts. They had a C2...
I would've reversed the order of recommendations by Wiz on their RediShell CVE-2025-49844 blog post. Network controls are easier & quicker to apply and involve no downtime; than changing server & client side configs. Even allowing all known IP ranges of your apps' service...
October 7, 2025 at 12:33 PM
I would've reversed the order of recommendations by Wiz on their RediShell CVE-2025-49844 blog post. Network controls are easier & quicker to apply and involve no downtime; than changing server & client side configs. Even allowing all known IP ranges of your apps' service...
Was going through Toby Blair Institute's whitepapers on Digital ID to see how their propaganda might intersect with Labour's BritCard whitepaper [1]. Found one on Open Standards and Open Source at TBI, which discusses vendor lock-in, 🧵
[4] www.youtube.com/watch?v=M1hX...
[4] www.youtube.com/watch?v=M1hX...
IAM Roles Anywhere – now for everyone with Let's Encrypt
YouTube video by fwd:cloudsec
www.youtube.com
October 6, 2025 at 12:58 PM
Was going through Toby Blair Institute's whitepapers on Digital ID to see how their propaganda might intersect with Labour's BritCard whitepaper [1]. Found one on Open Standards and Open Source at TBI, which discusses vendor lock-in, 🧵
[4] www.youtube.com/watch?v=M1hX...
[4] www.youtube.com/watch?v=M1hX...
I was affected by first the British Library hack, then M&S, Berlin airport, and now embraced for Asahi shortage. Pretty sure all of them, including JLR, had a `bag of tools` like the most popular EDRs in their peer groups, visibility tools such as CSPMs (CNAPPs now?), and maybe..
October 3, 2025 at 12:55 PM
I was affected by first the British Library hack, then M&S, Berlin airport, and now embraced for Asahi shortage. Pretty sure all of them, including JLR, had a `bag of tools` like the most popular EDRs in their peer groups, visibility tools such as CSPMs (CNAPPs now?), and maybe..
TLS inspection for egress traffic is getting harder and perhaps already at a point where security teams are finding more traffic needing to be excepted than not.
Woke up today to see an email from a prospect who had chosen another solution over DiscrimiNAT because...
Woke up today to see an email from a prospect who had chosen another solution over DiscrimiNAT because...
September 29, 2025 at 9:19 AM
TLS inspection for egress traffic is getting harder and perhaps already at a point where security teams are finding more traffic needing to be excepted than not.
Woke up today to see an email from a prospect who had chosen another solution over DiscrimiNAT because...
Woke up today to see an email from a prospect who had chosen another solution over DiscrimiNAT because...
"Aaron Le Marquer, head of insurance policyholder disputes at Stewarts, said at a recent Lloyd’s of London event that there were no fewer than 48 versions of this cyber “war exclusion” in circulation."
www.ft.com/content/84da...
www.ft.com/content/84da...
How does cyber insurance work — and why don’t all companies have it?
Many big businesses have cyber attack cover, but the range of exclusions for some policies creates payout doubts
www.ft.com
September 27, 2025 at 8:09 AM
"Aaron Le Marquer, head of insurance policyholder disputes at Stewarts, said at a recent Lloyd’s of London event that there were no fewer than 48 versions of this cyber “war exclusion” in circulation."
www.ft.com/content/84da...
www.ft.com/content/84da...
Every #cloud has a silver lining. Today's London #tubestrike 🚃 has opened up #bbcproms tickets 🎼
Sorry, this post wasn't about AWS, GCP, Azure, etc. 😆
Stock photo does suggest writing a multicloud conductor may not be a bad idea!
#brahms
Sorry, this post wasn't about AWS, GCP, Azure, etc. 😆
Stock photo does suggest writing a multicloud conductor may not be a bad idea!
#brahms
September 11, 2025 at 10:52 AM
Every #cloud has a silver lining. Today's London #tubestrike 🚃 has opened up #bbcproms tickets 🎼
Sorry, this post wasn't about AWS, GCP, Azure, etc. 😆
Stock photo does suggest writing a multicloud conductor may not be a bad idea!
#brahms
Sorry, this post wasn't about AWS, GCP, Azure, etc. 😆
Stock photo does suggest writing a multicloud conductor may not be a bad idea!
#brahms
People need to not be scared of Public IP addresses and find comfort in robust, monitored firewall rules instead. This was an unnecessary change anyway. Still going ahead next year though.
Azure default outbound access connectivity change postponed from 30 Sep '25 to 31 Mar '26.
azure.microsoft.com/en-us/update...
azure.microsoft.com/en-us/update...
Azure updates | Microsoft Azure
Subscribe to Microsoft Azure today for service updates, all in one place. Check out the new Cloud Platform roadmap to see our latest product plans.
azure.microsoft.com
September 8, 2025 at 9:33 AM
People need to not be scared of Public IP addresses and find comfort in robust, monitored firewall rules instead. This was an unnecessary change anyway. Still going ahead next year though.
> In March through June 2025, the threat actor accessed the Salesloft GitHub account.
Nothing in GitHub Advanced Security could have prevented this. Although, I'm building a new solution that will prevent this in the future.
Original source:
trust.salesloft.com?uid=Update+o...
Nothing in GitHub Advanced Security could have prevented this. Although, I'm building a new solution that will prevent this in the future.
Original source:
trust.salesloft.com?uid=Update+o...
Salesloft Trust Portal
Portal providing information and documentation related to Salesloft's security, privacy, and compliance.
trust.salesloft.com
September 7, 2025 at 6:30 PM
> In March through June 2025, the threat actor accessed the Salesloft GitHub account.
Nothing in GitHub Advanced Security could have prevented this. Although, I'm building a new solution that will prevent this in the future.
Original source:
trust.salesloft.com?uid=Update+o...
Nothing in GitHub Advanced Security could have prevented this. Although, I'm building a new solution that will prevent this in the future.
Original source:
trust.salesloft.com?uid=Update+o...
Excited to share my recent appearance on the Modern Cyber with Jeremy Snyder podcast, recorded live from @fwdcloudsec.org 2025 in Denver!
If you're in cloud security, networking, or just love geeking out on PKI and IPv6, this one’s worth your time.
rss.com/podcasts/mod...
If you're in cloud security, networking, or just love geeking out on PKI and IPv6, this one’s worth your time.
rss.com/podcasts/mod...
Dhruv Ahuja of Chaser Systems | Podcast Episode on RSS.com
In this special live episode recorded at fwd:cloudsec 2025 , Jeremy is joined by Dhruv Ahuja of Chaser Systems for a deep dive into the world of financial services, network evolution, and elegant secu...
rss.com
September 5, 2025 at 11:15 AM
Excited to share my recent appearance on the Modern Cyber with Jeremy Snyder podcast, recorded live from @fwdcloudsec.org 2025 in Denver!
If you're in cloud security, networking, or just love geeking out on PKI and IPv6, this one’s worth your time.
rss.com/podcasts/mod...
If you're in cloud security, networking, or just love geeking out on PKI and IPv6, this one’s worth your time.
rss.com/podcasts/mod...
@roocode.bsky.social with an OpenRouter API key in VSCode 👌
September 1, 2025 at 4:40 PM
@roocode.bsky.social with an OpenRouter API key in VSCode 👌
Reposted by Dhruv AHUJA
Release Notes | Chaser Systems
version 2.20 (2025-08-27)
chasersystems.com
September 1, 2025 at 6:05 AM
Another short-lived credential leak causes widespread data theft. Here at @chasersystems.bsky.social we're researching & prototyping practical second-factor methods for service account style usage.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift | Google Cloud Blog
UNC6395 stole data from Salesforce instances by exploiting compromised OAuth tokens from the Salesloft Drift app.
cloud.google.com
August 26, 2025 at 8:47 PM
Another short-lived credential leak causes widespread data theft. Here at @chasersystems.bsky.social we're researching & prototyping practical second-factor methods for service account style usage.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...