On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- Check Point VPNCVE-2026-50751Qilin Ransomware
Check Point VPN Zero-Day CVE-2026-50751: When an IKEv1 Auth Bypass Leaves No Login to Find
Check Point CVE-2026-50751 opens a VPN session with no password via deprecated IKEv1. A Qilin affiliate used it for a month before the patch — leaving identity logs nothing to flag.
8 min read - AI Agent SecurityAccount TakeoverPrompt Injection
Meta's AI Support Bot Gave Attackers Instagram Accounts: The AI Agent Attack Surface
Attackers talked Meta's AI support bot into hijacking Instagram accounts — a White House and a Space Force handle included. Why privileged AI agents are the attack surface your annual pentest never tests.
7 min read - OT SecurityCritical InfrastructureICS
909 Exposed Tank Gauges: OT Critical Infrastructure on the Open Internet
909 US fuel tank gauges sit on the public internet, and CISA says attackers are running commands on them. A look at why OT critical infrastructure is invisible to endpoint security — and what actually sees it.
6 min read - CitrixBleed 3NetScalerIdentity Edge
CitrixBleed 3: Why a March NetScaler Bug Is Your June Emergency
CVE-2026-3055 (CitrixBleed 3) was patched on 23 March. In early June, Fortinet confirmed large-scale exploitation. Here is why the patch alone never closed the door.
7 min read - Supply ChainnpmeBPF
IronWorm npm: when Trusted Publishing becomes the attack surface
JFrog disclosed IronWorm on 3 June: an npm worm with a Rust binary, eBPF rootkit, Tor C2, and self-propagation via npm Trusted Publishing OIDC tokens.
7 min read - HTTP/2 BombCVE-2026-49975AI Pentest
HTTP/2 Bomb (CVE-2026-49975): when an AI agent chained two decade-old primitives nobody had composed
Codex composed HPACK amplification and Slowloris stalling into a 5,700:1 DoS chain hitting nginx, Apache, IIS, Envoy and Pingora — 880,000 servers exposed. The defensive lesson is symmetric.
7 min read - PAN-OSVPN Auth BypassContinuous Compliance
PAN-OS CVE-2026-0257: when GlobalProtect is patched and exploitable at the same time
Palo Alto patched the GlobalProtect cookie-forge auth bypass on May 13. The exploit still works on patched firewalls if the portal reuses its TLS certificate. Patch state is not configuration state.
8 min read - Silent Ransom GroupLaw FirmsTraffic Analysis
Silent Ransom Group Is Walking Into Law Firms — And EDR Can't See It
FBI FLASH-20260526-01 warns Silent Ransom Group (Luna Moth, UNC3753) is infiltrating US law firms by phone, by RDP — and, when those fail, by walking in with a USB stick. 38+ firms leaked. Endpoint stack misses it; wire-side traffic ML doesn't.
9 min read - FortiClient EMSCVE-2026-35616EKZ Infostealer
FortiClient EMS CVE-2026-35616: when the security vendor's management plane ships the malware
The EKZ infostealer arrived on managed endpoints disguised as a Fortinet patch — pushed through the FortiClient EMS API after an unauthenticated bypass. Two months between disclosure and active campaign, and Fortinet still hasn't published IOCs.
8 min read - AI Agent AttacksMarimo CVE-2026-39987Cloud Credential Theft
AI Agent Post-Exploitation Is Real: Marimo CVE-2026-39987 and the 60-Minute Pivot Chain
On May 10, 2026 Sysdig recorded what looks like the first AI-agent-driven post-exploitation in the wild — Marimo CVE-2026-39987 to PostgreSQL exfiltration in under an hour, across 11 egress IPs. What it changes for defenders.
8 min read - Supply Chain AttackBotnetAI Traffic Analysis
Glassworm Takedown: When C2 Hides in Solana, BitTorrent, and Google Calendar
On 2026-05-26 CrowdStrike, Google, and Shadowserver coordinated the takedown of Glassworm, a developer-targeting supply-chain botnet that ran command-and-control over Solana memo fields, BitTorrent DHT, and Google Calendar event titles.
8 min read - CVE-2026-48172LiteSpeedShared Hosting
LiteSpeed cPanel CVE-2026-48172: when one tenant becomes root across every site you host
CVSS 10.0, actively exploited as a zero-day, added to CISA KEV on May 26 with a federal deadline of May 29. The shared-hosting blast radius is the real story — and quarterly pentest cycles cannot see it coming.
8 min read - NIS2Known VulnerabilitiesENISA Threat Landscape
NIS2's First Audit Deadline Is June 30. The 21.3% Known-CVE Gap Will Be the First Finding
On 30 June 2026 the first NIS2 compliance audit cycle closes. ENISA's 21.3% known-CVE intrusion rate stops being a slide and starts being an audit finding.
7 min read - Cisco SD-WANCVE-2026-20182UAT-8616
Cisco SD-WAN CVE-2026-20182: the downgrade-and-revert chain a quarterly pentest cannot catch
CVSS 10.0 auth bypass on Cisco Catalyst SD-WAN Controller, UAT-8616 active since 2023, and a downgrade-then-revert kill chain that erases the version trail point-in-time audits depend on.
8 min read - ClickFixWatering HoleTraffic Analysis
Ghost CMS, ClickFix and the Watering Hole That Wears Harvard's Hostname
CVE-2026-26980 turned 700+ Ghost CMS sites into ClickFix watering holes — Harvard, Oxford and DuckDuckGo among them. The host you trusted is now the distributor.
9 min read - EDRCISA KEVEndpoint Security
EDR as Attack Surface: Defender and Apex One Zero-Days in 48 Hours
In a 48h window CISA added Microsoft Defender and Trend Micro Apex One zero-days to KEV. When the endpoint security stack itself is the entry point, continuous external validation is the only check that holds.
8 min read - Dwell TimeHealthcareMTTD
Mandiant Says Dwell Time Is 14 Days. UNMC's Was 858.
The Mandiant M-Trends 2026 median dwell time is 14 days. The University of Nebraska Medical Center just disclosed an unauthorized-access window of 858 days. The gap is not a median problem — it's a detection-blind-spot problem the wire can fix and the host cannot.
6 min read - DORAIncident ReportingFinancial Services
DORA's 4-hour clock: classification is the new evidence problem
DORA enforcement turns active in 2026: 4 hours to file from the moment an incident is classified major. The hard part isn't the report — it's classifying in time.
7 min read - CISA KEVLegacy VulnerabilitiesConficker
Conficker and Aurora Are Still on CISA KEV: the 2026 Legacy Attack Surface in Numbers
CISA's May 20, 2026 KEV update added five CVEs from 2008-2010 — including the original Conficker and Aurora bugs — plus two new Microsoft Defender flaws. The legacy attack surface is still alive.
9 min read - Manufacturing RansomwareNIS2 EnforcementNitrogen Ransomware
Two Manufacturers in Eight Days: NIS2's Evidence Gap Just Got Concrete
West Pharmaceutical disclosed encryption-plus-exfiltration on 2026-05-07; Foxconn confirmed a Nitrogen ransomware breach on 2026-05-12. The post-incident audit question — what controls were active and provable — is no longer hypothetical.
8 min read - Supply ChainSLSA ProvenanceCI/CD Security
Signed Is Not Safe: When SLSA Provenance Ships Malware
Mini Shai-Hulud pushed npm packages carrying valid SLSA Build Level 3 provenance and Sigstore signatures. Supply-chain trust just broke a layer deeper — and runtime traffic is the last line that still sees it.
8 min read - Exfiltration-Only RansomwareTraffic AnalysisCritical Infrastructure
Exfiltration-Only Ransomware: Why Wire-Speed Traffic ML Is Now the Last Line of Defense
Q1 2026 ransomware operators are skipping encryption and going straight to data theft. The new kill chain is silent unless you can spot exfiltration as it happens — at wire speed, on your network, not in tomorrow's SIEM digest.
5 min read - AI RansomwareCritical InfrastructureGenerative Pentest
Generative Pentest vs AI Ransomware: A Defense Playbook for the 2026 Threat Landscape
AI-augmented ransomware, state-aligned wipers, and live-fire attacks on European utilities have reshaped what \"adequate defense\" means in 2026. This is the engineering case for continuous, generative penetration testing — and how to deploy it without giving up data sovereignty.
7 min read - Red Team AIPentestOperations
AI vs. Human Red Teamer: Where Autonomy Actually Pays
Honest take from a team that builds both AI and human-led red team campaigns. We split the offensive security workflow into eight phases and look at exactly where an AI agent beats a senior pentester, where it doesn't, and where the right answer is hybrid.
5 min read - NIS2DORACompliance
NIS2, DORA and the End of the Annual Pentest
NIS2 and DORA both push the same uncomfortable idea: security testing must be continuous and evidence-backed. Annual pentests no longer satisfy auditors. We map the regulatory requirements to a continuous AI pentest model and explain what an audit looks like when evidence is generated automatically.
4 min read - Red Team AIOn-PremiseArchitecture
Red Team AI: Why On-Prem Beats Cloud for Enterprise Pentesting
Cloud-hosted AI pentest tools force you to ship your attack surface to a third party. We argue that on-prem AI red teams are the only viable path for regulated industries — and explain the architecture that makes it possible on a single appliance.
4 min read