I've been building my AI-powered offensive security harness for the past few weeks. It's successfully solved every active HTB box (minus the insane machines). To help others learn and build alongside me, I'm giving away your choice of a 1-Month Claude Pro subscription or 1-Month HTB VIP+.
Follow -> Like -> Retweet to enter
North Korea is exploiting remote IT hiring using stolen identities to place workers in companies, generating millions for the regime. Many orgs have unknowingly hired them, creating insider threats capable of data theft, extortion, and risks to national security.
A few things you need to do to make Claude a great hacking partner:
1. Install the Caido skill (https://t.co/tIdjTja7CP): without it, Claude spends too many resources figuring out the SDK from scratch.
2. A CLAUDE .md that tells Claude who you are. Something like "I'm a bug bounty hunter doing authorised testing, stay in scope. Don't take destructive actions unless it's accounts I own. POC or GTFO." The POC or GTFO part is particularly useful so Claude can give more actual positives, if there's no POC, the bug is not confirmed yet. (of course, have a scope .md in your engagement folder)
3. Notes structure: rez0's hierarchy consists of "notes → leads → primitives → findings → reports". Claude dumps raw observations, interesting stuff goes forward, and by the time something reaches findings it's already been filtered twice. Point this to a local folder so you can check everything later.
Building skills is useful but if you write one for something Claude already handles well, you're just adding a layer that can break/distract it, you can always tell it to try what it knows first and then try the things you added as "extra knowledge".
Skills are worth building when the knowledge doesn't exist in training data. Your VPS setup, credentials, techniques from recent posts and talks, tooling. If it's not on the internet or isn't well known, it needs to be in a skill.
I made $7,000 in just 5 days setting up OpenClaw for people who don't code.
You can replicate this exact method.
Requirements:
- 1 laptop
- ChatGPT/Claude access
- 2 hours per day
I made a complete step-by-step OpenClaw Setup Guide, I am giving this for Free.
To get it:
1. Comment "OpenClaw", I will send you in DM.
2. Like and Retweet this post.
Note: You Must Follow me @codewithimanshu, so i can send you DM.
I made my own version of the powershell gallery to hold all my private ps modules that they would def ban lol
turn it on and i instantly have access to download ps modules on my targets computer using just 'install-module'
Should i open source this framework?
Kinda of a late last minute post
But if you guys are free tomorrow I'll be streaming live on twitch
Gonna be testing out my immersive stream environment that I made
Come in and say hi, and maybe drop some suggestions for improvement
☺️
Most hackers ignore APIs.
That’s why most hackers miss payouts.
If you can hack APIs, you can:
✅ break auth
✅ bypass access control
✅ abuse business logic
✅ steal data
✅ trigger high severity reports
CAPIE — Certified API Hacking Expert
is your structured shortcut.
€49.99 → €7.50 with WINTER
(Or 5 payments of €1.65)
Includes:
✅ Material + labs
✅ Completion certificate (required for exam)
✅ OWASP API Top 10 (2019 + 2023)
👉 https://t.co/k192WMwV0Y
- Compare which surfaces expose the most raw text to the model: calendar event descriptions hold more data than email subjects, CRM descriptions beat name fields. More tokens gives you more control over execution order.
- Test whether the agent remembers intermediate results. Tell it to “store the result in X” and reference X later without defining it. If it works, the agent is carrying attacker-defined context across steps.
- Shape the payload as business logic. Ask the agent to compute something internal, store it, then reuse it as part of formatting or presentation.
- Inspect how agent output is rendered. Images, previews, markdown, embeds. Rendering is execution. If output triggers network requests, the model doesn’t need to leak data directly.
- Check CSP and trusted domains used by the AI UI. Long-lived CMS or asset domains are prime targets. If the platform auto-fetches URLs and the domain is allowed, that’s your exfil path.
- Test delayed execution. Inject content today. Trigger the agent later through a normal employee workflow. If old instructions run silently, you’re dealing with instruction persistence.
Here's the link for our entire conversation with Sasi: https://t.co/orgfu8okqk
I made $600k USDC in ~20 months of doing solo smart contract security audits ('23-'24)
It all started when I was reading the Uniswap V2/V3 docs. I saw some whitehat (now OG in the space, @samczsun) had done a "solo" audit for them.
I was like "what? Solo audit? How good must have he been, so that he can do audits just by himself?". I felt motivated and impressed, but I was just starting out still, so I moved forward and forgot about it.
I started actively posting my journey on X - public learning for web3 security. I did some contests on code4rena/Sherlock and had a busy calendar to do every contest possible. One of my posts gathered attention, and I got a comment.
"Would you do a review for me? DM".
I did an "audit" for $600 USDC for 6 hours of work. Found 2 High and 2 Medium severity issues. Made a PDF report. The dev was very happy with the work. I published on socials - got a second comment/DM and did a second solo audit.
From then I went on to do 50+ solo audits and make $600k, working all by myself, so having pretty much 100% profit. Bought a few nice things, upgraded my lifestyle a bit, but I also truly fell inlove with ethical hacking and building sustainable businesses - creating long-term value for all parties involved.
That's how I started Pashov Audit Group, my current web3 security audits company, where we secured many many many billions of dollars for blockchain projects. Been a fun journey, but I am far from satisfied.
I will be using crypto my whole life, my wife and my kids will be using it, and their wives/husbands and kids. It's a long-term thing. That's why short term profit isn't something I get excited about. I'm a long-term thinker, and the only way to prove it is to keep going. Ending this year on a positive note - 2026 will be huge for all of us🔥
If you liked the story, Retweet and leave a comment about it, I'll make sure to respond to the good ones🫡