On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- FortiSandboxCVE-2026-39808Edge Appliance Security
FortiSandbox CVE-2026-39808: The Security Appliance Nobody Watches
Two FortiSandbox flaws (CVE-2026-39808, CVE-2026-39813) patched in April are now exploited in the wild. Why agentless security appliances are a detection blind spot — and how to catch their compromise.
6 min read - AI GatewayLiteLLMMCP Security
LiteLLM CVE-2026-42271: the AI gateway is now an RCE surface
LiteLLM CVE-2026-42271 turns the most widely deployed AI gateway into unauthenticated RCE via its MCP test endpoints. Why the LLM proxy is the asset nobody inventoried.
8 min read - Air-Gap SecurityVelvet AntCritical Infrastructure
Ten Years Inside an Air-Gapped Network: Velvet Ant's Operation Highland
Velvet Ant spent a decade inside an air-gapped critical-infrastructure network by backdooring Linux PAM and OpenSSH. Why the air gap is not the control you think it is.
8 min read - SplunkPre-Auth RCESIEM Security
Splunk CVE-2026-20253: a Pre-Auth RCE Inside Your SIEM
Splunk Enterprise CVE-2026-20253 is an unauthenticated RCE chained through a PostgreSQL sidecar — the SIEM itself becomes the attack surface. The mechanism and the blind spot.
7 min read - RansomwareSelf-Propagating MalwareLateral Movement
The Gentlemen Ransomware: A Self-Propagating Worm Your EDR Can't See
The Gentlemen (Storm-2697) turned its encryptor into a worm with 21 lateral-movement methods — and disables Defender on every host it touches. Why the network sees what the endpoint can't.
7 min read - Oracle PeopleSoftShinyHuntersCVE-2026-35273
Oracle PeopleSoft Zero-Day CVE-2026-35273: ShinyHunters Was Gone Before the Advisory
ShinyHunters exploited a CVSS 9.8 PeopleSoft zero-day (CVE-2026-35273) against 100+ orgs — 68% universities — and Google had to notify the victims. The breach-evidence reckoning.
8 min read - Veeam BackupCVE-2026-44963Ransomware
Veeam CVE-2026-44963: any domain user can own your backups
CVE-2026-44963 gives any low-privilege domain account remote code execution on Veeam backup servers — the one box ransomware crews always hit first, and the one your annual pentest never scopes.
6 min read - Check Point VPNCVE-2026-50751Qilin Ransomware
Check Point VPN Zero-Day CVE-2026-50751: When an IKEv1 Auth Bypass Leaves No Login to Find
Check Point CVE-2026-50751 opens a VPN session with no password via deprecated IKEv1. A Qilin affiliate used it for a month before the patch — leaving identity logs nothing to flag.
8 min read - AI Agent SecurityAccount TakeoverPrompt Injection
Meta's AI Support Bot Gave Attackers Instagram Accounts: The AI Agent Attack Surface
Attackers talked Meta's AI support bot into hijacking Instagram accounts — a White House and a Space Force handle included. Why privileged AI agents are the attack surface your annual pentest never tests.
7 min read