ToxSec
@toxsec.bsky.social
AI Security Engineer @ Amazon.
M.S. Cybersecurity, CISSP.
Ex-NSA, USMC.
M.S. Cybersecurity, CISSP.
Ex-NSA, USMC.
Excessive Agency is an OWASP Top 10 Threat. Make sure you watch what permissions you are giving your Agents.
Remember to apply principles of least privilege and audit their actions closely.
#ai #cybersecurity #technology
Remember to apply principles of least privilege and audit their actions closely.
#ai #cybersecurity #technology
November 9, 2025 at 6:43 PM
Excessive Agency is an OWASP Top 10 Threat. Make sure you watch what permissions you are giving your Agents.
Remember to apply principles of least privilege and audit their actions closely.
#ai #cybersecurity #technology
Remember to apply principles of least privilege and audit their actions closely.
#ai #cybersecurity #technology
Metas new $600 billion investment was nice timing for my new article lol.
#ai
open.substack.com/pub/toxsec/p...
#ai
open.substack.com/pub/toxsec/p...
The Real Money is in Selling the Shovels.
Why Nvidia, AWS, and infrastructure companies will capture 80% of AI’s wealth while chatbot startups burn through billions.
open.substack.com
November 9, 2025 at 5:52 PM
Metas new $600 billion investment was nice timing for my new article lol.
#ai
open.substack.com/pub/toxsec/p...
#ai
open.substack.com/pub/toxsec/p...
sometimes the only vulnerable thing is my patience. #bugbounty
November 9, 2025 at 5:05 PM
sometimes the only vulnerable thing is my patience. #bugbounty
APIs are the real front door now. Devs still leave it unlocked.
Bug bounty gold lives in hidden endpoints, mis-mapped verbs, and backend trust flaws. My full recon & exploitation guide: www.toxsec.com/p/api-securi...
#APISecurity
Bug bounty gold lives in hidden endpoints, mis-mapped verbs, and backend trust flaws. My full recon & exploitation guide: www.toxsec.com/p/api-securi...
#APISecurity
Bug Bounty API Security Testing
ToxSec | A Guide to API Testing
www.toxsec.com
November 8, 2025 at 12:49 AM
APIs are the real front door now. Devs still leave it unlocked.
Bug bounty gold lives in hidden endpoints, mis-mapped verbs, and backend trust flaws. My full recon & exploitation guide: www.toxsec.com/p/api-securi...
#APISecurity
Bug bounty gold lives in hidden endpoints, mis-mapped verbs, and backend trust flaws. My full recon & exploitation guide: www.toxsec.com/p/api-securi...
#APISecurity
A book called “If Anyone Builds It, Everyone Dies” hit the bestseller list.
The author thinks AI will kill us all. Maybe he’s wrong about that. But his argument about why we can’t stop building it anyway? That part’s harder to dismiss.
#ai
www.toxsec.com/p/ai-doomsda...
The author thinks AI will kill us all. Maybe he’s wrong about that. But his argument about why we can’t stop building it anyway? That part’s harder to dismiss.
#ai
www.toxsec.com/p/ai-doomsda...
The AI Doomsday Book That Got One Thing Devastatingly Right
Yudkowsky’s “If Anyone Builds It, Everyone Dies” is wrong about fast takeoff but right about the coordination nightmare
www.toxsec.com
November 7, 2025 at 11:17 PM
A book called “If Anyone Builds It, Everyone Dies” hit the bestseller list.
The author thinks AI will kill us all. Maybe he’s wrong about that. But his argument about why we can’t stop building it anyway? That part’s harder to dismiss.
#ai
www.toxsec.com/p/ai-doomsda...
The author thinks AI will kill us all. Maybe he’s wrong about that. But his argument about why we can’t stop building it anyway? That part’s harder to dismiss.
#ai
www.toxsec.com/p/ai-doomsda...
Traditional cybersecurity attack are still here for LLMs. I’ve seen several new logic attacks that are pretty effective especially when connected to a RAG.
Think Forkbomb for your chatbot. Reeaaaaallly pricy if you don’t have failsafes and ways to detect it.
Think Forkbomb for your chatbot. Reeaaaaallly pricy if you don’t have failsafes and ways to detect it.
November 7, 2025 at 5:49 PM
Traditional cybersecurity attack are still here for LLMs. I’ve seen several new logic attacks that are pretty effective especially when connected to a RAG.
Think Forkbomb for your chatbot. Reeaaaaallly pricy if you don’t have failsafes and ways to detect it.
Think Forkbomb for your chatbot. Reeaaaaallly pricy if you don’t have failsafes and ways to detect it.
ran into a WAF today that blocked me for typing “test.” impressive. #bugbounty
November 7, 2025 at 2:33 AM
ran into a WAF today that blocked me for typing “test.” impressive. #bugbounty
Reading “Chip Wars” and got me thinking, with all the data centers spinning up, I hope we got the best of the best on call haha.
November 6, 2025 at 5:46 PM
Reading “Chip Wars” and got me thinking, with all the data centers spinning up, I hope we got the best of the best on call haha.
The #1 biggest threat to your ai product.
November 4, 2025 at 6:26 PM
The #1 biggest threat to your ai product.
AI-powered phishing is here! Take a look at some TTPs and prepare your security teams for advanced social engineering attacks.
#phishing #cybersecurity #ai #incidentresponse #socialengineering
www.toxsec.com/p/ai-powered...
#phishing #cybersecurity #ai #incidentresponse #socialengineering
www.toxsec.com/p/ai-powered...
AI-Powered Phishing: Hooked by a Bot
How AI-powered social engineering, deepfake vishing, and machine-speed OSINT are breaking traditional email security. A defender's guide.
www.toxsec.com
November 4, 2025 at 2:30 PM
AI-powered phishing is here! Take a look at some TTPs and prepare your security teams for advanced social engineering attacks.
#phishing #cybersecurity #ai #incidentresponse #socialengineering
www.toxsec.com/p/ai-powered...
#phishing #cybersecurity #ai #incidentresponse #socialengineering
www.toxsec.com/p/ai-powered...
TLDR: China’s firewall just leaked 500 + GB of its internal censorship tech. Big win for transparency, big red-flag for digital repression tools going global.
November 2, 2025 at 10:12 PM
TLDR: China’s firewall just leaked 500 + GB of its internal censorship tech. Big win for transparency, big red-flag for digital repression tools going global.
Document your insights as if crafting a blog entry, even just for yourself. Clear writing elevates skilled hackers to exceptional ones.
#CyberSecurity #BugBounty
#CyberSecurity #BugBounty
November 2, 2025 at 5:05 PM
Document your insights as if crafting a blog entry, even just for yourself. Clear writing elevates skilled hackers to exceptional ones.
#CyberSecurity #BugBounty
#CyberSecurity #BugBounty
Great callout by @spacesanjeet.bsky.social
This can "massively" solve a lot of computer applications. I will go one step further and say that we don't need to make separate forks of these powerful apps for the 80% of the users.
Devs can just do a start/initiation UI where user can select beginner/power user.
danieldelaney.net/normal/
Devs can just do a start/initiation UI where user can select beginner/power user.
danieldelaney.net/normal/
Free software scares normal people—Daniel De Laney
80% of the people only need 20% of the features.
danieldelaney.net
November 1, 2025 at 4:29 PM
Great callout by @spacesanjeet.bsky.social
Demand to keep humans in the loop.
Before it's too late!
New article on when to rely on agents, and when humans need to take charge.
#ai #llm #riskmanagement #devsecops
www.toxsec.com/p/human-in-t...
Before it's too late!
New article on when to rely on agents, and when humans need to take charge.
#ai #llm #riskmanagement #devsecops
www.toxsec.com/p/human-in-t...
Human in the Loop
A blueprint for building a “Human-in-the-Loop” (HITL) model that leverages AI agents for speed and human experts for wisdom in cybersecurity.
www.toxsec.com
November 1, 2025 at 1:30 PM
Demand to keep humans in the loop.
Before it's too late!
New article on when to rely on agents, and when humans need to take charge.
#ai #llm #riskmanagement #devsecops
www.toxsec.com/p/human-in-t...
Before it's too late!
New article on when to rely on agents, and when humans need to take charge.
#ai #llm #riskmanagement #devsecops
www.toxsec.com/p/human-in-t...
I can't prove this, but PATCH is the least trusted HTTP verb and it knows it. #BugBounty
October 31, 2025 at 1:33 AM
I can't prove this, but PATCH is the least trusted HTTP verb and it knows it. #BugBounty
Cloud misconfigurations remain unbeatable. #CyberSecurity #InfoSec
October 30, 2025 at 1:09 AM
Cloud misconfigurations remain unbeatable. #CyberSecurity #InfoSec
Is AI fueling the old 'Dead Internet' conspiracy theory?
Yes! AI is building a fake internet just for you.
#ai #psychology #cybersecurity #society #internet
www.toxsec.com/p/ai-is-buil...
Yes! AI is building a fake internet just for you.
#ai #psychology #cybersecurity #society #internet
www.toxsec.com/p/ai-is-buil...
The Dead Internet - AI is Building a Fake Internet Just for You
How Generative AI is Fueling the "Dead Internet Theory," Creating an Authenticity Crisis, and Why AI Detection Can't Save Us.
www.toxsec.com
October 28, 2025 at 1:32 PM
Is AI fueling the old 'Dead Internet' conspiracy theory?
Yes! AI is building a fake internet just for you.
#ai #psychology #cybersecurity #society #internet
www.toxsec.com/p/ai-is-buil...
Yes! AI is building a fake internet just for you.
#ai #psychology #cybersecurity #society #internet
www.toxsec.com/p/ai-is-buil...
So yeah, the headline is that an AI system at a Maryland high school mistook a bag of Doritos for a gun.
October 28, 2025 at 4:08 AM
So yeah, the headline is that an AI system at a Maryland high school mistook a bag of Doritos for a gun.
New start up idea.
AI powered toasters.
Imagine yelling at your toaster after, for the third time it tells you:
“You’re right. I didn’t actually heat up anything, and that’s on me. I’ve toasted your food now.”
As you stare down at uncooked bread.
AI powered toasters.
Imagine yelling at your toaster after, for the third time it tells you:
“You’re right. I didn’t actually heat up anything, and that’s on me. I’ve toasted your food now.”
As you stare down at uncooked bread.
October 26, 2025 at 8:58 PM
New start up idea.
AI powered toasters.
Imagine yelling at your toaster after, for the third time it tells you:
“You’re right. I didn’t actually heat up anything, and that’s on me. I’ve toasted your food now.”
As you stare down at uncooked bread.
AI powered toasters.
Imagine yelling at your toaster after, for the third time it tells you:
“You’re right. I didn’t actually heat up anything, and that’s on me. I’ve toasted your food now.”
As you stare down at uncooked bread.
Rate-limiting workarounds remain too simple to exploit in high-traffic applications. #CyberSecurity #APISecurity
October 26, 2025 at 5:10 PM
Rate-limiting workarounds remain too simple to exploit in high-traffic applications. #CyberSecurity #APISecurity
Right?
I can't believe the fact that its 2025 and there are still crazy no. of websites which just for the sake of looking and feeling modern, take an insane amt of time to load pages.
I was browsing through the UCL website to see the fixtures/results from yesterday, and it took me a whole 2 mins to get
I was browsing through the UCL website to see the fixtures/results from yesterday, and it took me a whole 2 mins to get
October 26, 2025 at 3:20 AM
Right?
Newest ToxSec article. Synthetic data and the risk of model collapse. You will see just how important high quality human data can be.
#ai #llm #riskmanagement #thirdpartyrisk
www.toxsec.com/p/the-hidden...
#ai #llm #riskmanagement #thirdpartyrisk
www.toxsec.com/p/the-hidden...
The Hidden Risk That Could Wipe Out Billions in AI Valuations
AI Model Collapse: Why Training on Synthetic Data Is a Massive, Unpriced Risk for Investors and Tech.
www.toxsec.com
October 25, 2025 at 1:30 PM
Newest ToxSec article. Synthetic data and the risk of model collapse. You will see just how important high quality human data can be.
#ai #llm #riskmanagement #thirdpartyrisk
www.toxsec.com/p/the-hidden...
#ai #llm #riskmanagement #thirdpartyrisk
www.toxsec.com/p/the-hidden...