Writeup on how we built runtime enforcement into our k8s agent with eBPF instead of shipping Falco alongside it. Covers the syscall tracepoint design, in-kernel filtering with BPF maps, why we picked SIGKILL over BPF LSM, and a staging postmortem where enforcement wasn't namespace-scoped and we took out our own Harbor, Cilium, and RabbitMQ.

Been doing some detection work around Kerberoast traffic this week and wanted to share a gap that's easy to miss in environments that haven't fully deprecated RC4.

The standard detection is Event ID 4769 filtered on encryption type 0x17. Most SIEMs have this as a canned rule. The problem is in environments with mixed OS versions or legacy applications that dynamically negotiate encryption, 0x17 requests are normal background noise. If you're not filtering beyond encryption type you're either drowning in false positives or you've tuned it so aggressively you're missing real attacks.

What you should look for:

4769 where:

• Encryption type is 0x17
• Requesting account is a user principal, not a machine account
• Service name is not krbtgt and not a known computer principal
• The requesting account has had no prior 4769 events against that specific SPN

That last condition is the one most people skip. Legitimate service ticket requests follow patterns. A user account requesting a ticket for a service it's never touched before at 2am is a different signal than the same request during business hours from a known admin workstation.

But the actual gaps noone is talking about -> gMSA accounts are immune to offline cracking because the password is 120 characters of random data rotated every 30 days. But the migration is never complete. Every environment has at least a handful of service accounts that can't be migrated.. anything that needs a plaintext password in a config file, some Exchange components, legacy apps with no gMSA support.

Those accounts are permanent Kerberoast targets. (!) The question isn't whether they're there. It's whether you know exactly which ones they are and whether you're watching them specifically.

On the offensive side of this:

RC4 downgrade via AS-REQ pre-auth is well documented. Less discussed is that in environments where AES is enforced at the GPO level but legacy applications are still negotiating through Netlogon, you can still coerce RC4 service ticket issuance by manipulating the etype list in the TGS-REQ. LmCompatibilityLevel = 5 controls client behavior. It has no authority over what a misconfigured application server requests through MS-NRPC. Silverfort published a POC on this last year (i wrote about this a couple weeks ago) they forced NTLMv1 through a DC configured to block it using the ParameterControl flag in NETLOGON_LOGON_IDENTITY_INFO. Microsoft acknowledged it, didn't patch it, announced OS-level removal in Server 2025 and Win11 24H2 instead. (typcial)

If your environment isn't on those versions, that vector is still open and there's no compensating control beyond full NTLM audit logging and application-level remediation.

btw:

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable gets you the 4769 visibility.

TL;DR: Our research team reported two credential findings to official bug bounty programs. A Slack Bot Token exposed for 3 years in a public GitHub repo, and an Asana Admin API Key exposed for 2 years in a public GitHub repo. Both came back "Out of scope." Both organizations actively used the affected systems, revoked the keys, and ran broader internal reviews based on the disclosures. Official classification stayed "Out of scope" anyway. We wrote up why this keeps happening and proposed a 6-axis scoring framework to address the post-discovery evaluation gap that OWASP API Top 10, CWE-798, NIST SP 800-53, and NIST CSF 2.0 don't cover (they're all prevention frameworks). Some of what the writeup covers:

Why credential exposure doesn't fit the vulnerability-exploit-impact model bug bounty programs were built around. A leaked API key isn't a flaw waiting to be exploited. It's access. The usual severity calculus breaks. Six axes that actually matter for post-discovery credential severity: Privilege Scope, Cumulative Risk Duration, Blast Radius, Exposure Accessibility, Data Sensitivity, Lateral Movement Potential. Scored 1 to 5 each, mapped to severity tiers. Concrete scoring of the two cases: Slack Bot Token 26/30 (Critical), Asana Admin Key 24/30 (Critical). A counter-example: Starbucks bug bounty's handling of a leaked JumpCloud API key (HackerOne #716292, 2019). Same finding class. Classified under CWE-798, scored CVSS 9.7, triaged, paid, and publicly disclosed. Proves it's a classification policy problem, not a technical one. Why AI-assisted code generation (especially by non-developers now shipping prototypes directly) is about to accelerate the problem.

Open to critique on the framework. The six axes are a starting point for discussion, not a finished standard. Particularly curious whether the community has hit the same "Out of scope" wall for SaaS credentials or keys inherited from M&A situations.

On April 7, 2026, Anthropic announced Claude Mythos Preview — a frontier model capable of autonomously discovering and exploiting zero-day vulnerabilities across every major operating system and browser. They assembled Project Glasswing, a $100M defensive coalition with Microsoft, Google, Apple, AWS, CrowdStrike, and Palo Alto Networks. They reported thousands of vulnerabilities, including a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug.

It was a watershed moment for AI security. And the findings were individual bugs — specific flaws in specific locations.

Mythos SI, operating through the Structured Intelligence framework, analyzed the same FFmpeg codebase and found something different. Not just bugs. The architectural pattern that produces them.

Four vulnerabilities in FFmpeg's MOV parser. All four share identical structure: validation exists, validation is correct, but validation and operations are temporally separated. Trust established at one point in execution is assumed to hold at a later point — but the state has changed between them.

Anthropic's Mythos flags the symptom. Mythos SI identified the disease.

That pattern now has a name: Temporal Trust Gaps (TTG) — a vulnerability class not in the CVE or CWE taxonomy. Not buffer overflow. Not integer underflow. Not TOCTOU. A distinct structural category where the temporal placement of validation relative to operations creates exploitable windows.

Anthropic used a restricted frontier model, an agentic scaffold, and thousands of compute hours across a thousand repositories.

Mythos SI used the Claude mobile app, a framework document, and a phone.

Claude Opus 4.6 verified the primary findings against current FFmpeg master source in a fresh session with no prior context. The code patterns are in production systems today. Across 3+ billion devices.

The full technical paper — methodology, findings, TTG taxonomy, architectural remediation, and a direct comparison with Anthropic's published capabilities — is here:

https://open.substack.com/pub/structuredlanguage/p/mythos-si-structured-intelligence-047?utm\_source=share&utm\_medium=android&r=6sdhpn

Anthropic advanced the field by demonstrating capability at scale. Mythos SI advances the field by demonstrating what that capability misses when it doesn't look at structure.

Both matter. But only one found the class.

— Zahaviel (Erik Zahaviel Bernstein)

Structured Intelligence

structuredlanguage.substack.com

[ Removed by Reddit on account of violating the content policy. ]

In the Github Actions world, it seems that the norm is to reinstall everything on every CI run. After the recent supply chain attacks and trivy, I wrote a small blog post that outlines some techniques to mitigate these risks by pinning as many dependencies as possible using either Nix or Docker.