Here's a /goal prompt I've been using to review my code with Codex. I've had a lot of success finding weird bugs and misconfigurations that way. Feel free to use it and share yours:
---
/goal
Act as a hostile reviewer of the current uncommitted changes.
Assume there are bugs, loopholes, broken assumptions, and misconfigurations hidden in the diff. Your goal is to find them before they reach production.
Review the uncommitted changes end to end. Do not only inspect the modified lines. Pull in related files, configs, schemas, policies, tests, routes, API handlers, auth flows, database rules, environment assumptions, and deployment behaviour where relevant.
Look specifically for:
- Security loopholes
- Authorization bypasses
- Incorrect trust assumptions
- User-controlled input reaching sensitive logic
- Missing validation
- Broken tenant/team/user scoping
- Data exposure
- Unsafe defaults
- Config mistakes
- Broken error handling
- Race conditions
- State inconsistencies
- Payment/subscription/access-control bypasses
- Missing auditability
- Bugs caused by incomplete refactoring
- Tests that pass but do not prove the intended behaviour
For every issue found:
1. Explain the issue clearly.
2. Show where it exists.
3. Explain the realistic failure or abuse case.
4. Fix it.
5. Re-check whether the fix introduced new issues.
Repeat this loop until the implementation is clean enough to defend in a production review.
Run relevant validation commands such as tests, linting, type checks, build checks, or targeted scripts. If no tests exist, say that clearly and recommend the missing coverage.
Final output must include:
- What was reviewed
- Issues found
- Fixes applied
- Validation performed
- Remaining risks
- Confidence level
- Any recommended follow-up tests or hardening tasks
Do not give vague reassurance. Be specific, critical, and evidence-based.
One of the most frequent questions I'm asked is "how do you stay up to date on malware stuff?"
Okay, here is a pro tip:
1. Google OTX AlienVault
2. Make account
3. Look at latest
4. Scroll until you find posts from a guy named Petr something-something (has numbers in his name).
4. Follow his account
He monitors all the big malware places and shares the URL, hashes, etc. from malware vendors. I've been following this random ass dude for years and getting updates on everything.
I have no idea who he is. I don't know where he's from. All I know is his setup is absolute fire and he keeps you up to date on literally everything malware related 24/7 365. He also has stuff from vendors in China, Russia, Japan, etc.
Every morning I log into OTX and check up on my boy Petr to see what fire he's bringing me. I love him.
Earlier this year, I wrote about 6x different emulation techniques used by threat actors that silence EDR agents and detection strategies for each one.
The diagram of the most common technique using WFP Filters:
🖊️ https://t.co/pWiUCh1Uy2
I worked with @svch0st and @TheDFIRReport to put out a report in less than 24 hours. This is especially timely given the threat actor's use of OpenClaw and Claude in the mass exploitation of CVE-2025-55182 (React2Shell).
An exposed open directory gave us the full operational footprint: scanner harness, AI-orchestrated post-exploitation, Telegram C2, and thousands of exfiltrated .env files across 900+ confirmed compromises.
#Claude #OpenClaw #DFIR
Elastic have pushed some new rules to detect DLL loads and API calls, where the call stack contains a module known to be used for ROP gadgets. This includes dfshim.dll, which I use in RTO II.
📣 I partnered with @13CubedDFIR for another giveaway! 🎁
🏆 Five winners will receive a 13Cubed course of their choice from the list below + a Forensicator T-Shirt.
13Cubed Courses:
- Investigating Windows Endpoints
- Investigating Windows Memory
- Investigating Linux Devices
- Investigating macOS Endpoints
Each course comes with a Certificate of Completion as well as Certification attempts!
On April 25th, entries across social media platforms will be combined, and the five winners will be selected.
To Enter:
✅ Like
✅ Share
✅ Comment which course you want to win the most
For more information ⬇️
Link to 13Cubed Training: https://t.co/xbinmzAm3g
13Cubed Merch Store: https://t.co/021POuBvGj
#DFIR #DigitalForensics #IncidentResponse
For most of 2025, I was skeptical that AI was already playing a major operational role in real intrusions. Most public examples seemed limited to phishing and supporting tasks.
This report by my friend Eyal Eyal lines up with what I have been hearing elsewhere, too - in recent publications and in private conversations with people seeing this stuff up close.
I think that phase is over.
AI is moving into the operational core of attacks. With stronger models, open models, and jailbroken variants circulating, the economics have changed. Tailored tooling, exploit adaptation, and large-scale analysis get cheaper and faster.
I expect AI to play a major role in future campaigns, and that means more variation, more fresh tooling, and less reliance by attackers on recycled code.
All the more reason to focus on controls and detections that do not depend only on known samples.
Worth reading.
Sysmon View 2 is here & is now fully open source! I've rewritten it entirely: New modern UI & many quality-of-life improvements. Thank you all, this rewrite took a long time but was worth it.
https://t.co/vAfgyLxs89
#SysmonTools#Sysmon#DFIR#ThreatHunting#BlueTeam#InfoSec
🚨 Big news: New TH Book 🏹
After years in Threat Hunting, I wrote the book I always wanted when I started.
The Art of Threat Hunting, practical, technical, no fluff.
⚡Hypothesis generation, queries & adaptation stuff, CTI-driven programs, documentation, team alignment. The full lifecycle.
🦖Full breakdown on the blog: https://t.co/7yboDwsZJ8
🔗Available on Amazon: https://t.co/r1h2BQSSSC
#ThreatHunting #BlueTeam #Cybersecurity #Research #CTI #Malware #threat
📌 Looking Back: Iranian APT Infrastructure in Focus
https://t.co/yUCp8JkvBP
Two weeks ago, we analyzed infrastructure linked to several Iranian-aligned threat groups. Pivoting across IPs, hashes, ASNs, and TLS certificates revealed clusters tied to actors like MuddyWater and APT35.
In one case, a single IP exposed attacker tooling, additional servers in the same hosting network, and a short-lived Sliver C2 instance.
Infrastructure patterns like these often appear weeks before campaigns become widely reported.
#ThreatIntelligence #ThreatHunting #CyberSecurity
Collecting ADCS data with NetExec🔥
Thanks to the addition of CertiHound, developed and implemented by 0x0Trace, we can now collect ADCS data using the --bloodhound collector of NetExec.
As before, the data is exported as JSON files that can be imported directly into BloodHound.
APT confirmation used to take hours. Now it takes 4 minutes.
Attack Discovery correlates alerts into a single narrative.
A workflow triggers the agent.
The agent:
• Looks up the hash on VirusTotal
• Runs ES|QL queries across your logs
• Finds the on-call analyst
• Creates a case
• Opens a Slack incident channel
All before you read the threat intel report.
Maybe you’ve been living in a cave for the last two weeks, but an amazing book on how to combine threat intelligence and artificial intelligence has just come out - "Threat Intelligence. Chaos, Signals, and Attribution. AI Applied to Threat Intelligence" https://t.co/j26uauP5ba
Yes, we are the authors (Alfonso Muñoz, Jacobo Blancas)… and yes, this may not be the best promotion ever. But the quality of the book is good enough to make it worth a try. At the very least, it’s as good as our promotional video :)
🚨 Top 5 Live Intelligence Dashboards You Should Be Watching
If you're tracking cyber threats, geopolitical tensions, or OSINT signals in real time, these platforms provide a powerful “single pane of glass” into what’s happening globally:
🌍 LiveUAmap – Real-time conflict and geopolitical event tracking
🔗 https://t.co/HV7wR0jxD4
📊 GDELT Project – Global event monitoring powered by AI across dozens of languages
🔗 https://t.co/Y3468LUhoI
🌐 WorldMonitor – Live global incidents, disasters, and security alerts
🔗 https://t.co/1qMzK0Dtaq
🛡️ SOCRadar Cyber Conflict Dashboard – Focused cyber threat intelligence (Iran–Israel context)
🔗 https://t.co/d4MNtnQ1OM
🧠 Pizzint – OSINT-driven monitoring of leaks, dark web activity, and threat signals
🔗 https://t.co/GutduD8Bif
These dashboards highlight how OSINT + real-time data + visualization are reshaping situational awareness for both cyber and physical threats.
👉 If you know other high-quality live intelligence dashboards, drop them in the comments — always looking to expand the list.
#OSINT #CyberThreatIntelligence #ThreatIntel #Geopolitics #DarkWeb #CyberSecurity #DDW #InfoSec #OpenSourceIntelligence