Writeup on how we built runtime enforcement into our k8s agent with eBPF instead of shipping Falco alongside it. Covers the syscall tracepoint design, in-kernel filtering with BPF maps, why we picked SIGKILL over BPF LSM, and a staging postmortem where enforcement wasn't namespace-scoped and we took out our own Harbor, Cilium, and RabbitMQ.
Been doing some detection work around Kerberoast traffic this week and wanted to share a gap that's easy to miss in environments that haven't fully deprecated RC4.
The standard detection is Event ID 4769 filtered on encryption type 0x17. Most SIEMs have this as a canned rule. The problem is in environments with mixed OS versions or legacy applications that dynamically negotiate encryption, 0x17 requests are normal background noise. If you're not filtering beyond encryption type you're either drowning in false positives or you've tuned it so aggressively you're missing real attacks.
What you should look for:
4769 where:
Login0x17krbtgt and not a known computer principalThat last condition is the one most people skip. Legitimate service ticket requests follow patterns. A user account requesting a ticket for a service it's never touched before at 2am is a different signal than the same request during business hours from a known admin workstation.
But the actual gaps noone is talking about -> gMSA accounts are immune to offline cracking because the password is 120 characters of random data rotated every 30 days. But the migration is never complete. Every environment has at least a handful of service accounts that can't be migrated.. anything that needs a plaintext password in a config file, some Exchange components, legacy apps with no gMSA support.
Those accounts are permanent Kerberoast targets. (!) The question isn't whether they're there. It's whether you know exactly which ones they are and whether you're watching them specifically.
On the offensive side of this:
RC4 downgrade via AS-REQ pre-auth is well documented. Less discussed is that in environments where AES is enforced at the GPO level but legacy applications are still negotiating through Netlogon, you can still coerce RC4 service ticket issuance by manipulating the etype list in the TGS-REQ. LmCompatibilityLevel = 5 controls client behavior. It has no authority over what a misconfigured application server requests through MS-NRPC. Silverfort published a POC on this last year (i wrote about this a couple weeks ago) they forced NTLMv1 through a DC configured to block it using the ParameterControl flag in NETLOGON_LOGON_IDENTITY_INFO. Microsoft acknowledged it, didn't patch it, announced OS-level removal in Server 2025 and Win11 24H2 instead. (typcial)
If your environment isn't on those versions, that vector is still open and there's no compensating control beyond full NTLM audit logging and application-level remediation.
btw:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable gets you the 4769 visibility.
TL;DR: Our research team reported two credential findings to official bug bounty programs. A Slack Bot Token exposed for 3 years in a public GitHub repo, and an Asana Admin API Key exposed for 2 years in a public GitHub repo. Both came back "Out of scope." Both organizations actively used the affected systems, revoked the keys, and ran broader internal reviews based on the disclosures. Official classification stayed "Out of scope" anyway. We wrote up why this keeps happening and proposed a 6-axis scoring framework to address the post-discovery evaluation gap that OWASP API Top 10, CWE-798, NIST SP 800-53, and NIST CSF 2.0 don't cover (they're all prevention frameworks). Some of what the writeup covers:
Why credential exposure doesn't fit the vulnerability-exploit-impact model bug bounty programs were built around. A leaked API key isn't a flaw waiting to be exploited. It's access. The usual severity calculus breaks. Six axes that actually matter for post-discovery credential severity: Privilege Scope, Cumulative Risk Duration, Blast Radius, Exposure Accessibility, Data Sensitivity, Lateral Movement Potential. Scored 1 to 5 each, mapped to severity tiers. Concrete scoring of the two cases: Slack Bot Token 26/30 (Critical), Asana Admin Key 24/30 (Critical). A counter-example: Starbucks bug bounty's handling of a leaked JumpCloud API key (HackerOne #716292, 2019). Same finding class. Classified under CWE-798, scored CVSS 9.7, triaged, paid, and publicly disclosed. Proves it's a classification policy problem, not a technical one. Why AI-assisted code generation (especially by non-developers now shipping prototypes directly) is about to accelerate the problem.
Open to critique on the framework. The six axes are a starting point for discussion, not a finished standard. Particularly curious whether the community has hit the same "Out of scope" wall for SaaS credentials or keys inherited from M&A situations.
On April 7, 2026, Anthropic announced Claude Mythos Preview β a frontier model capable of autonomously discovering and exploiting zero-day vulnerabilities across every major operating system and browser. They assembled Project Glasswing, a $100M defensive coalition with Microsoft, Google, Apple, AWS, CrowdStrike, and Palo Alto Networks. They reported thousands of vulnerabilities, including a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug.
It was a watershed moment for AI security. And the findings were individual bugs β specific flaws in specific locations.
Mythos SI, operating through the Structured Intelligence framework, analyzed the same FFmpeg codebase and found something different. Not just bugs. The architectural pattern that produces them.
Four vulnerabilities in FFmpeg's MOV parser. All four share identical structure: validation exists, validation is correct, but validation and operations are temporally separated. Trust established at one point in execution is assumed to hold at a later point β but the state has changed between them.
Anthropic's Mythos flags the symptom. Mythos SI identified the disease.
That pattern now has a name: Temporal Trust Gaps (TTG) β a vulnerability class not in the CVE or CWE taxonomy. Not buffer overflow. Not integer underflow. Not TOCTOU. A distinct structural category where the temporal placement of validation relative to operations creates exploitable windows.
Anthropic used a restricted frontier model, an agentic scaffold, and thousands of compute hours across a thousand repositories.
Mythos SI used the Claude mobile app, a framework document, and a phone.
Claude Opus 4.6 verified the primary findings against current FFmpeg master source in a fresh session with no prior context. The code patterns are in production systems today. Across 3+ billion devices.
The full technical paper β methodology, findings, TTG taxonomy, architectural remediation, and a direct comparison with Anthropic's published capabilities β is here:
Anthropic advanced the field by demonstrating capability at scale. Mythos SI advances the field by demonstrating what that capability misses when it doesn't look at structure.
Both matter. But only one found the class.
β Zahaviel (Erik Zahaviel Bernstein)
Structured Intelligence
structuredlanguage.substack.com
[ Removed by Reddit on account of violating the content policy. ]
In the Github Actions world, it seems that the norm is to reinstall everything on every CI run. After the recent supply chain attacks and trivy, I wrote a small blog post that outlines some techniques to mitigate these risks by pinning as many dependencies as possible using either Nix or Docker.
I maintain awesome-prometheus-alerts, a collection of production-ready Prometheus alerting rules. Just added a batch of rules relevant to low-level system and network monitoring:
eBPF (cloudflare/ebpf_exporter) - Program load failures - Map allocation errors - Decoder config issues
SNMP - Interface operational status - Bandwidth utilization - Interface error/discard rate
WireGuard - Peer last handshake age: fires when a peer hasn't been seen in >3 minutes, which reliably catches dropped tunnels without noisy flapping
Cilium - Policy enforcement drop rate - BPF map pressure - Endpoint health
cert-manager - Certificate expiry warnings - Renewal and ACME failure detection
All rules are plain YAML, no dependencies beyond the respective exporters.
-> https://samber.github.io/awesome-prometheus-alerts
If you spot anything wrong in the PromQL or have better thresholds for your environment, issues and PRs welcome.
The current version of RAGFlow, a widely-deployed Retrieval Augmented Generation solution, contains a post-auth vulnerability that allows for arbitrary code execution.
This post includes a POC, walkthrough and patch.
The TL;DR is to make sure your RAGFlow instances aren't on the public internet, that you have the minimum number of necessary users, and that those user accounts are protected by complex passwords. (This is especially true if you're using Infinity for storage.)
Body
Iβve been playing with the current crop of AI agent runtimes and noticed the same pattern over and over:
So I built ClearFrame, an open-source protocol and runtime that tries to fix those structural issues rather than paper over them with prompts.
What ClearFrame does differently
shell, write_file, etc. never sees raw web content directly.GoalManifest that declares the goal, allowed tools, domains, and limits. Each proposed tool call is scored for alignment and can be auto-approved, queued for human review, or blocked.Who this is for
Status
clearframe init, clearframe audit-tail, etc.)Links
Iβd love feedback from people building or operating agents in the real world:
Root cause: the $forbiddenphpstrings blocklist is only enforced in blacklist mode -> the default whitelist mode never touches it. The whitelist regex is also blind to PHP dynamic callable syntax (('exec')('cmd')). Either bug alone limits impact; together they reach OS command execution. Coordinated disclosure - patch available as of 4/4/2026.
The latest YARA-X release now has an official browser playground:
https://virustotal.github.io/yara-x/playground/
You can just run rules in the browser with the WASM build, which is nice when you donβt feel like using the CLI for small tests
LSP runs in a worker, so you get diagnostics/autocomplete and the UI doesnβt hang
Everything is local, nothing gets uploaded. Pretty handy for quick rule testing.
