- https://bsidessf2026.sched.com/event/2E1h4/we-pwn-the-night-growing-leading-an-31337-security-research-team?iframe=yes&w=100%&sidebar=yes&bg=no
- https://drive.google.com/file/d/1_zLH8vuHU1XOjEyk85WecQwSByDwxAmQ/view?pli=1
- https://securing.dev/posts/if-i-were-eighteen-again/
- https://research.nvidia.com/labs/lpr/slm-agents/
Keith Hoodlet is the Application Security Manager at Thermo Fisher Scientific. He is the Co-Founder of the InfoSec Mentors Project .
As Chief Strategy Officer, Ron leads Silverfort’s strategic alliances with technology partners, as well as our growth operations and business strategy. He brings more than 15+ years of hands-on product management experience and cyber security expertise. Prior to joining Silverfort, Ron was the Director of Product Management at Claroty, and held product management roles at Wix and NCR. Before that Ron served as a Team Leader at the 8200 elite cyber unit of the Israel Defense Forces. Ron holds a B.A in Economics from Tel Aviv University.
Shashwat Sehgal is the Co-Founder and CEO of P0 Security. He’s spent most of his career building security and observability products for developers, DevOps, and security teams.
Shashwat is passionate about solving the problem of cloud access security and helping security engineers’ control ‘who has access to sensitive resources in their clouds.’
He enjoys playing tennis, spending time with his family, teaching his son how to play chess, and geeking out on all things security.
Mike Shema
- A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746 Pre-Auth RCE)
I will always be fascinated by flaws that survive decades of development and security testing.
This example gives another reminder of the simple lesson that if you find one bug, you should search your codebase for similar variants of that bug. In this case, a client side fix for the same insecure code pattern was applied back in 2005. Yet the server-side code remained unfixed and unobserved(?) for decades after that.
Sure, it's an archaic protocol by now, but the article points out why and where it may still be found in real systems in the real world.
- No Prompt Injection Required
The LiteLLM compromise has the transitive excitement that anything LLM-related gets extra attention these days. Even if the attack, its consequences, and its countermeasures are reminiscent of supply chain security from the last year, the last decade, and the decade before that.
This article nicely walks through what happened and the "huh" factor that led to the malware's discovery. It also wraps up with good reminders about basic security practices to apply to package management.
- Agents of Chaos
This research leans more into a superset of appsec, with testing on safety and alignment in addition to more familiar items like DoS, identity spoofing, and tool calls.
This report is very well written and organized. I particularly appreciate the use of emojis to distinguish the various actors, i.e. robot for agents and human for humans.
- Don’t trust, verify | daniel.haxx.se
This is a great example of how to reason through a threat model without having to use the jargon of threat modeling or even focus on explicit security controls.
The end of the article has 21 tactical steps that the project has taken to maintain quality and security. I love the specificity of these items (far more than a generic top ten list) and most of them translate to any large project that needs to be maintained over time. Even if your project isn't in C, there are likely still functions you want to avoid and there are surely styles that you want to encourage for readability. The emphasis on documentation and testing (including fuzzing!) would benefit any project, whether open or closed source.
- HTTP/1.1 Must Die: Conquering the 0.CL Challenge | Blog – PortSwigger
This popped up about two weeks ago. It's a very different type of article from the usual agents and vulns that we see. It's a nice, technical walkthrough of a request smuggling attack.
Would you like to see more focused, technical content like this? Let us know!
- Introducing the OpenSSF Ambassador Program
Here's an opportunity to collaborate with people, influence the security of open source projects, and help build more educational resources for developers.
- How NOT to Get Your Conference Submission Binned – Spherical Cow Consulting
Writing remains a critical skill. As we start the CFP countdowns for all the summer conferences, here's a reference for how to avoid relying on LLMs as your voice and instead craft concise, appealing pitches for your presentation ideas.













