Russ McRee
@holisticinfosec.bsky.social
Director, GCP Cyber Defense Center, @Google, former @MSFT MSRC, PhD, GSE #52, @SANS_ISC handler, music via @russmcree
Detection overhaul with two new ATT&CK objects, Detection Strategies and Analytics, that shift guidance from single-sentence notes to structured, behavior-focused strategies. Workbench now supports Detection Strategies to take full advantage of the defensive updates. medium.com/mitre-attack...
ATT&CK v18: Detection Strategies, More Adversary Insights,
ATT&CK v18 is released with new Detection Strategies, Analytics, and revamped Data Components!
medium.com
October 29, 2025 at 1:40 AM
Detection overhaul with two new ATT&CK objects, Detection Strategies and Analytics, that shift guidance from single-sentence notes to structured, behavior-focused strategies. Workbench now supports Detection Strategies to take full advantage of the defensive updates. medium.com/mitre-attack...
Deeply proud of our Cloud VRP team (Darby & Cote) for a huge body of work re this bugSWAT, and thank you to an AMAZING group of researchers…truly the best of the best. $1.6m awarded for this event alone, and $2.5m total in 2025! Thank you, all. bughunters.google.com/blog/5364401...
Blog: Hardening Google Cloud: Insights from the latest Cloud VRP bugSWAT
Check out this blog post for more on the inaugural Cloud-focused bugSWAT, hosted by the Cloud VRP, and how events like this help boost Google's security posture in close collaboration with external re...
bughunters.google.com
September 10, 2025 at 8:29 PM
Deeply proud of our Cloud VRP team (Darby & Cote) for a huge body of work re this bugSWAT, and thank you to an AMAZING group of researchers…truly the best of the best. $1.6m awarded for this event alone, and $2.5m total in 2025! Thank you, all. bughunters.google.com/blog/5364401...
I share the use of OctoSQL as a fast CLI interface to vulnerability data aggregated via CVE-Vulnerability-Information-Downloader. If you’ve wanted to join vulnerability data (CVE, CVSS, EPSS) from disparate data sources and file types, this is the toolsmith for you.
holisticinfosec.io/post/octosql/
holisticinfosec.io/post/octosql/
OctoSQL & Vulnerability Data
toolsmith #152: CLI SQL to query and join disparate databases and file formats
holisticinfosec.io
June 6, 2025 at 2:31 PM
I share the use of OctoSQL as a fast CLI interface to vulnerability data aggregated via CVE-Vulnerability-Information-Downloader. If you’ve wanted to join vulnerability data (CVE, CVSS, EPSS) from disparate data sources and file types, this is the toolsmith for you.
holisticinfosec.io/post/octosql/
holisticinfosec.io/post/octosql/
A robust evaluation framework developed to automatically red-team an AI system’s vulnerability to indirect prompt injection attacks…a walk-through of the threat model, and a description of three attack techniques implemented in the evaluation framework. security.googleblog.com/2025/01/how-...
How we estimate the risk from prompt injection attacks on AI systems
Posted by the Agentic AI Security Team at Google DeepMind Modern AI systems, like Gemini, are more capable than ever, helping retrieve data ...
security.googleblog.com
February 24, 2025 at 1:29 AM
A robust evaluation framework developed to automatically red-team an AI system’s vulnerability to indirect prompt injection attacks…a walk-through of the threat model, and a description of three attack techniques implemented in the evaluation framework. security.googleblog.com/2025/01/how-...
SecTemplates for infosec professionals, and startup engineering teams lacking a security team, to help bootstrap their programs. Starting points for:
*Preparation checklists
*Runbooks
*Programs and their associated processes
*Useful security metrics
*Document templates github.com/securitytemp...
*Preparation checklists
*Runbooks
*Programs and their associated processes
*Useful security metrics
*Document templates github.com/securitytemp...
GitHub - securitytemplates/sectemplates: Open source templates you can use to bootstrap your security programs
Open source templates you can use to bootstrap your security programs - securitytemplates/sectemplates
github.com
February 18, 2025 at 5:24 PM
SecTemplates for infosec professionals, and startup engineering teams lacking a security team, to help bootstrap their programs. Starting points for:
*Preparation checklists
*Runbooks
*Programs and their associated processes
*Useful security metrics
*Document templates github.com/securitytemp...
*Preparation checklists
*Runbooks
*Programs and their associated processes
*Useful security metrics
*Document templates github.com/securitytemp...
I’ve neglected holisticinfosec.io and #toolsmith for more than a year. Excuses? Sure…signed to a label & made a record, moved after 27 years in same home, multiple deployments for cyber defense of 2024 election, expanded role at work…but here is my return to form holisticinfosec.io/post/protect...
toolsmith snapshot: Protect AI ModelScan
Protection Against Model Serialization Attacks
holisticinfosec.io
February 17, 2025 at 5:59 AM
I’ve neglected holisticinfosec.io and #toolsmith for more than a year. Excuses? Sure…signed to a label & made a record, moved after 27 years in same home, multiple deployments for cyber defense of 2024 election, expanded role at work…but here is my return to form holisticinfosec.io/post/protect...
FediSecFeeds searches CVE data in infosec.exchange and ioc.exchange instances with output fetched via GitHub's API. fedisecfeeds.github.io?utm_source=t...
FediSecfeeds
fedisecfeeds.github.io
January 23, 2025 at 5:58 PM
FediSecFeeds searches CVE data in infosec.exchange and ioc.exchange instances with output fetched via GitHub's API. fedisecfeeds.github.io?utm_source=t...
Proud of my team and cross-functional GCP partners in delivering this. Excited to announce that Google Cloud customers can now track Cloud Abuse Events using Cloud Logging. These events can include leaked service account keys, crypto mining incidents, and malware. cloud.google.com/blog/product...
Introducing Abuse Event Logging for automated incident remediation | Google Cloud Blog
Google Cloud customers can now track specific Cloud Abuse Events in Cloud Logging. Here’s what you need to know.
cloud.google.com
January 7, 2025 at 10:03 PM
Proud of my team and cross-functional GCP partners in delivering this. Excited to announce that Google Cloud customers can now track Cloud Abuse Events using Cloud Logging. These events can include leaked service account keys, crypto mining incidents, and malware. cloud.google.com/blog/product...
Great read: serverless env variables contain key-value pairs used to configure & pass information to serverless functions & applications. Sensitive data stored in environment variables (API keys, db credentials, etc) can be compromised if accidentally shared or made public
permiso.io/blog/how-adv...
permiso.io/blog/how-adv...
How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables
Learn how threat actors can exploit sensitive data stored in serverless environment variables in AWS, Azure, GCP and Kubernetes, and the use of cloud-offensive tools for this purpose. Additionally, th...
permiso.io
January 7, 2025 at 9:56 PM
Great read: serverless env variables contain key-value pairs used to configure & pass information to serverless functions & applications. Sensitive data stored in environment variables (API keys, db credentials, etc) can be compromised if accidentally shared or made public
permiso.io/blog/how-adv...
permiso.io/blog/how-adv...
STAMP shifts perspective on accidents from linear chains of failures to a control problem. The model should explain accidents that result from component failures, but also external disturbances, interactions between components, and incorrect or inadequate behavior. ask www.usenix.org/publications...
The Evolution of SRE at Google
www.usenix.org
January 2, 2025 at 3:26 AM
STAMP shifts perspective on accidents from linear chains of failures to a control problem. The model should explain accidents that result from component failures, but also external disturbances, interactions between components, and incorrect or inadequate behavior. ask www.usenix.org/publications...