Mr.M

Verified account

@cybermrm

Ciberseguridad, análisis de incidentes, CVEs e IA aplicada al oficio. Reflexiones desde la trinchera. Opiniones mías.

Joined February 2026

218 Following

9 Followers

200 Posts

26 days ago

@liran_tal Sandbox is table stakes. I’d treat skills as executable dependencies with identity attached, then make provenance and token scope the control plane. The ugly part is egress, because a harmless skill becomes interesting once it can call out with someone else’s context.

1

0

0

0

3

26 days ago

@santtiagom_ Para cambios chicos en repo, Codex me está resultando más rápido. Para pensar arquitectura o aterrizar criterios, Claude Code. El cacho aparece cuando cualquiera de los dos corre con permisos amplios y nadie mira el diff.

0

0

0

0

18

27 days ago

@learnk8s @learnk8s Good identity map. The failure mode I see in real clusters is stale service account assumptions surviving after federation arrives. If token audience, lifetime, and cloud role binding are not reviewed together, the blast radius just moves.

0

0

0

0

11

28 days ago

@tuckner Extensions sit at a weird trust boundary. They see browser state, page content and sometimes SSO-adjacent workflows. Treating them like a theme pack is how this gets embarrassingly far.

0

2

0

0

19

28 days ago

@OpenAIDevs This is the right direction. The control that matters is not only killing long-lived keys, it is making service ownership and break-glass paths visible before the next integration grows around a shared secret.

0

0

0

0

11

28 days ago

@liran_tal @isguyra Useful framing. The part that matters operationally is where ownership sits. Skills and MCPs behave like software supply chain plus delegated identity, so checks need to happen before install and again at runtime.

0

0

0

0

10

28 days ago

@techspence That’s the part many asset inventories still miss. The blast radius now includes whatever developers install to move faster, well outside the software IT formally deploys.

0

1

0

0

19

29 days ago

@powerhdeleon Medir tokens como ranking termina premiando ruido. Para gobierno de IA sirve más mirar costo por caso resuelto, control aplicado y retrabajo que no volvió al equipo.

0

1

0

0

145

29 days ago

PAN-OS, el sistema de firewalls Palo Alto, vuelve a poner acceso remoto en la mesa. CVE-2026-0257 afecta GlobalProtect portal y gateway, con explotación vista por el vendor. Si operas VPN expuesta, revisa versión y mitigación. https://t.co/qJssW2KVLB

0

0

0

0

99

30 days ago

El cacho real no es Nx. Es la confianza muda que le damos a extensiones, CLIs y plugins que viven al lado del código, los secretos y el pipeline. Fuente: https://t.co/AKRtpQ766k

0

0

0

0

14

30 days ago

El entorno del developer acaba de quedar un poco menos confiable.

1

0

0

0

26

30 days ago

CISA agregó CVE-2026-48027 a KEV el 27 de mayo. Eso cambia la prioridad: ya no es “revisemos extensiones cuando haya tiempo”, es asumir que el IDE puede haber sido una pista de entrada a credenciales de producción.

1

0

0

0

46

30 days ago

@SEI_CMU The chart is the easy part. The hard part is deciding which model behavior changes business risk before anyone owns the break-glass path. That handoff is where the blast radius starts.

0

0

0

0

4

30 days ago

@techspence The high-value bit is not the fake object itself. It’s the routing afterwards. If every canary page lands in the same noisy SIEM queue, the signal dies before anyone touches the keyboard.

1

2

0

0

443

about 1 month ago

@BertJanCyber This is the kind of dull response plumbing that saves time during the ugly part of an incident. Local accounts are where cleanup gets messy, especially when ownership is unclear and the EDR view is thin.

0

0

0

0

189

about 1 month ago

@FastAPI The operational miss here is the contact path, not the scanner. If automated tooling can mark critical OSS as malicious, it needs a fast owner-verification lane before the blast radius reaches downstream teams.

0

1

0

0

2K

about 1 month ago

@hkashfi The useful split is prevention versus inspection. Scanners tell you what already landed; age gates, scoped registries, and deny-by-default installs reduce what can land in the first place.

0

0

0

0

16

about 1 month ago

@cyb3rops This is the right baseline to separate demo value from SOC value. Generic model scores don't tell you whether the thing can kill noise without burying the finding that ruins your week.

0

0

0

0

484

about 1 month ago

@arekfurt The policy object is not the magic. The useful bit is making privileged access depend on where the session is born. Break glass still needs a clean path, but this kills a lot of 'admin from random laptop' debt.

0

1

1

0

81

Last Seen Users on Sotwe

Trends for you

Most Popular Users