HAIJA INTEL REPORT

Got identity security on your mind? This #KnowYourAdversary episode with Javier Azofra Ovejero of @SiemensHealth breaks down how attackers exploit gaps between AD, Entra ID, and CyberArk. Listen: https:// ghst.ly/4vsSRvg

Reproducing a Double Free RCE in Apache CVE-2026-23918 on the most used software on the internet with one prompt that costs like $0.001 via DeepSeek is scary as hell. Now, anyone with zero knowledge can hack the interne…

What GPT 5.4-Cyber can do while you’re 40,000ft in the air If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s ). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivotin

On 5/6/26, #PaloAltoNetworks published a security advisory for a critical vuln. affecting PAN-OS PA-Series & VM-Series firewall appliances. CVE-2026-0300 carries a CVSSv4 score of 9.3 and has been confirmed as exploited…

"Red team" has become a catchall term. Some vendors mean pentesting. Others mean compliance theater. None of that tells you what actually matters: Would you detect an attacker once they're already in? @Ne0nd0g breaks it down

In his latest research, @_xpn_ tears apart VS Code Dev Tunnels and finds a C2 framework underneath - REST → WebSocket → SSH → MsgPack RPC, remote exec, file ops. Find the Ouroboros tool and protocol breakdown at the link!

One month to go until the next public edition of my Entra ID course in The Hague. Working on some roadrecon and roadtx updates from my backlog, and new content on agent identities! Tickets are still available via

For a Fistful of Dollars: Less than $100 of Compute Surfaces Pre-auth RCE in Apache httpd Write-up:

If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s ). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivoting from GitHub/Entra ID access.

A failed login should not take 6 seconds. Bishop Fox researchers reproduced CVE-2026-42208 in LiteLLM’s proxy. The attack requires no authentication, still returns HTTP 401 responses, and uses timing delays to extract sensitive data. Observed in the wild roughly 36 hours after

After not receiving a raise in the four years I’ve worked at BHIS they’ve now decided to reduce my pay by $40k after coming back from maternity leave and moving my role to solely pentesting. So I am looking for a new position effective immediately if anyone has any leads

What a surprise A cybersecurity firm, “Red Access,” contacted us less than 24 hours before going to the media with vague claims about Replit. This is not how responsible security research works. The standard practice in terms of disclosure policies, as followed by CISA, CERT/CC,