The Cyber Threat Perspective

SecurIT360

Step into the ever-evolving world of cybersecurity with the offensive security group from SecurIT360. We’re bringing you fresh content from our journeys into penetration testing, threat research and various other interesting topics.brad@securit360.com

  1. 5h ago

    Episode 185 | A Toddler with a Bazooka: The Real Risk of AI Agents

    AI agents can search the web, manipulate files, run commands, make API requests, access cloud platforms, and operate fully autonomously. They are powerful, they are here, and most organizations have no security controls around them whatsoever. In this episode, Brad and Spencer break down the five major AI agent risk categories security teams need to understand right now, using Simon Willison's "lethal trifecta" as a framework and building on it with two additional risk areas they see in the field. In this episode: - What an AI agent actually is and why the definition matters before you can secure it  - What AI agents are capable of: files, commands, APIs, memory, cloud access, and autonomous execution  - The lethal trifecta: access to private data, exposure to untrusted content, and external communication  - Risk category 1: Access to private data - why agents inherit your permissions and why that is dangerous  - Risk category 2: Exposure to untrusted content and prompt injection attacks  - Risk category 3: External communication and data exfiltration (including a real canary token experiment)  - Risk category 4: Privileged access and limiting blast radius with least privilege identities  - Risk category 5: Autonomous actions, approval gates, rate limits, and kill switches  - Why backups, rollback plans, and recovery playbooks are more important than ever in an AI agent world Resources mentioned: - Simon Willison's lethal trifecta post (June 2025): https://simonwillison.net - Zach Korman's ContinuumCon sandbox escape workshop: https://continuumcon.com/schedule/ - offsec.blog | securit360.com Need a pen test before end of year? Q3 slots are filling up fast.  Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    46 min

  2. Jun 11

    Episode 184 | Active Directory Isn't Dead. It's Just Undefended.

    Think Active Directory is dead? Think again. According to Microsoft data, 86% of organizational workloads still touch Active Directory, and nearly 20% of organizations don't expect to reach a hybrid state for 10-20+ years. In this episode, Brad and Spencer break down why AD attack paths remain one of the most critical threats in enterprise environments and what defenders can do about it right now. Spencer also previews his ContinuumCon workshop "Killing AD Attack Paths Once and For All" where he demonstrates how authentication policies and silos can eliminate an entire class of lateral movement attacks built into Windows and Active Directory. In this episode: - Why Active Directory is still alive, well, and heavily targeted - What an Active Directory attack path is and how attackers use them - The four prerequisites attackers need to abuse AD attack paths - Real-world examples: Kerberos ticket theft, SCCM abuse, certificate misconfigurations, and misconfigured permissions - Tools defenders should know: Bloodhound, PingCastle, Purple Knight, Locksmith, and ADelegator - How to prioritize remediations based on ease of exploitation vs. impact - Why retesting is the most overlooked step in any remediation cycle Resources mentioned: - Spencer's ContinuumCon Workshop (Fri. June 12, 10:30am PT / 1:30pm ET): https://continuumcon.com/schedule/ - Hybrid Identity Protection Podcast (Semperis): https://www.semperis.com/hybrid-identity-protection-podcast/ - Bloodhound CE: https://github.com/SpecterOps/BloodHound - PingCastle: https://www.pingcastle.com - Purple Knight: https://www.purple-knight.com - Locksmith: https://github.com/TrimarcJake/Locksmith - offsec.blog | securit360.com Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    29 min

  3. Jun 5

    Episode 183 | OWASP Top 10 Part 2: Security Misconfigurations That Get You Hacked

    Security misconfiguration is one of the most frequently found vulnerabilities in web application pen testing — and most of the fixes are just a checkbox. In Part 2 of their OWASP Top 10 series, Brad Causey and Jordan Natter cover OWASP A05: Security Misconfiguration with real stories from recent engagements and practical takeaways for developers, security teams, and organizations of all sizes. In this episode: Hardcoded Active Directory credentials and API keys discovered in a public GitHub repo during a healthcare pen testDefault credentials (admin/1234) found on a clinical research app storing PHIA rogue Apache basic auth panel that survived from dev into productionHow verbose error handling and stack traces hand attackers a roadmap to your appWhy dev-to-production is the most dangerous transition in your app's lifecycleThe shift-left mindset and DevSecOps — empowering devs to ship secure codeHow CIS lockdown guides can dramatically improve your security posture overnightResources mentioned: OWASP Top 10: OWASP Top Ten Web Application Security Risks | OWASP FoundationCIS Benchmarks: https://www.cisecurity.org/cis-benchmarksEp. 182 – OWASP Top 10 Part 1: https://youtu.be/BwYJ-kZ3XaYNeed a web application pen test? Reach out: Offensive Security - SecurIT360 Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    29 min

  4. May 27

    Episode 182: Patching Crisis — Vulns Now #1 Attack Vector (2026 Verizon DBIR)

    Hosts Brad Causey and Spencer Alessi break down the 2026 Verizon Data Breach Investigations Report, focusing on the findings that actually matter for IT and security teams. The biggest surprise: vulnerability exploitation has overtaken stolen credentials as the top initial access vector, accounting for 31% of attacks, while credential abuse dropped to just 13%. This completely flips the script on years of "identity is the new perimeter" thinking. Topics covered include: Vulnerability explosion and remediation crisis: Why there are too many vulnerabilities and not enough time for patching, with only 26% of CISA KEV vulnerabilities fully remediated (down from 38%)The patching time paradox: Median remediation time increased from 32 days to 43 days despite organizations initially getting faster at patching from 2022-2024Web application sprawl: How the push to cloud and SaaS has created massive attack surfaces organizations don't own and can't patchThe top 4 initial access vectors: Vulnerability exploitation, phishing, credential abuse, and pretextingRansomware economics shifting: 48% of breaches involved ransomware, but 69% of victims didn't pay and median payments dropped to $139,875Mobile phishing success: Mobile-centric phishing had 40% higher success rates than email phishing as users get better at spotting email threatsSocial engineering evolution: The human element appeared in 62% of breaches, with pretexting requiring different countermeasures than traditional phishingShadow AI explosion: 45% of employees are regular AI users on corporate devices (up from 15%), with 67% using non-corporate accountsAI data exfiltration: Shadow AI is now the third most common non-malicious insider risk, with source code being the top data type leakedMCP and IDE extension risks: Real-world examples including PocketOS having their entire production database deleted by Claude connected to a railway CLI MCPBrad and Spencer emphasize that while the threat landscape is shifting dramatically, the fundamentals still matter. Organizations need to get comfortable with not being able to patch everything and focus on what matters most. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    31 min

  5. May 20

    [Replay] Episode 159: How to Break Into Cybersecurity — What Actually Works

    We're re-releasing one of our most practical episodes this week — originally published November 2025, and still one of the best roadmap conversations we've had on the show. Brad and Spencer share no-fluff advice for breaking into cybersecurity, whether you're switching careers, starting from scratch, or leveling up from a general IT role. They cover what employers actually look for, the fastest paths in, and what to skip. If you're exploring a cybersecurity career, or know someone who is, this one's for you. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    45 min

  6. May 12

    Episode 181: AI Zero Days (Google Threat Intelligence Report)

    Brad and Spencer break down Google Threat Intelligence Group's latest report on how adversaries are weaponizing AI across the entire attack lifecycle. The big takeaway isn't that AI has magically replaced attackers, but that it's making certain workflows faster, more scalable, and more repeatable. More importantly, AI platforms, agent skills, integrations, and dependencies are now becoming targets themselves. Topics covered include: AI for vulnerability discovery and exploit development: Google's first confirmed case of a zero-day exploit developed entirely with AI, including intentional prompts like "You are currently a network security expert specializing in embedded devices"Claude skills weaponization: A distilled knowledge base of over 85,000 real-world vulnerability cases integrated into AI research workflowsAutomation and scaled research: APT45 sending thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploitsAI-powered obfuscation techniques: Dynamic modification, evasive payload generation, and decoy logic using Gemini API for just-in-time VBScript obfuscationAutonomous attack orchestration: Moving beyond content generation into sophisticated malware command automation, including PromptSpy navigating Android UI for persistenceAI-enhanced reconnaissance: Generating detailed organizational hierarchies and third-party relationships for high-value targets in finance, security, and HR departmentsInformation operations and deepfakes: Taking legitimate journalist videos, editing in fabricated content, and adding AI-generated voiceoversAttacking AI dependencies: TeamPCP (UNC6780) targeting AI environments as initial access vectors, including March 2026 supply chain attacks on Trivy, Checkmarx, and LiteLLMThe Mini Shai-Hulud worm: May 2026 attacks targeting AI infrastructure and dependenciesDefensive fundamentals: Why inventory, zero trust principles, and behavioral monitoring matter more than everBrad and Spencer emphasize that while the threat landscape is evolving rapidly, doubling down on foundational security practices remains the most effective defense strategy. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    41 min

  7. May 7

    Episode 180: Cybersecurity Echo Chambers — How to Think Critically in a Hype-Driven Industry

    In Episode 180, hosts Brad Causey and Spencer Alessi tackle a critical but often overlooked issue in cybersecurity: the echo chambers that can undermine critical thinking and effective security programs. Inspired by recent experiences at the ILTA Evolve conference, Spencer and Brad explore how cybersecurity professionals, from practitioners to executives, can fall into bubbles where everyone reinforces the same ideas without questioning underlying assumptions. Topics covered include: What cybersecurity echo chambers look like: conferences where everyone "reaffirms what they already knew" instead of challenging assumptionsThe AI hype cycle as a prime example: why the industry's multi-million-dollar conferences around "the new thing" miss the point that fundamental security principles still applySocial media's role in amplifying bias: how anecdotes from single engagements get generalized into "every organization is terrible at X" without considering nuanceConference culture and groupthink: when entire events operate in lockstep without anyone asking critical questionsThe danger of not having your own opinion: how IT and security leaders without formed opinions become vulnerable to the best sales pitch rather than the best solutionVendor influence on thought leadership: understanding financial and emotional motivations behind industry messagingStrategies to combat echo chambers: doing your own research, questioning everything, admitting when you don't know somethingThe power of diverse perspectives: why opinions from people outside your expertise can be the most valuableAcknowledging bias and being wrong: how intellectual humility breaks down echo chambersBuilding a network of trusted advisors: asking people you trust what they think, even if they're not domain expertsWhile technical skills are crucial, nothing ruins a cybersecurity organization like bad culture, and echo chambers are a subcategory of that cultural problem. Whether you're navigating conferences, evaluating vendors, or building your security program, this episode offers practical guidance for maintaining critical thinking in an industry that can be driven more by hype than substance. Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    29 min

  8. Apr 30

    Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained

    In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025. Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document. Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements. Topics covered include: What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstoodBroken Access Control — what it means, why it tops the list, and how it manifests in real applicationsJWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionalityMFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeoverCORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resourcesInsecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalationS3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directlyHidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URLOWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/  Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

    29 min
See All (222)

5
out of 5
16 Ratings

About

Step into the ever-evolving world of cybersecurity with the offensive security group from SecurIT360. We’re bringing you fresh content from our journeys into penetration testing, threat research and various other interesting topics.brad@securit360.com

Information

  • Creator
    SecurIT360
  • Years Active
    2022 - 2026
  • Episodes
    222
  • Rating
    Clean
  • Copyright
    © 2026 The Cyber Threat Perspective
  • Show Website
    The Cyber Threat Perspective

You Might Also Like