uid0

Verified account

@uidzero

Red Team @ Sophos | Offensive security for LLMs, agents & GenAI | Researching and weaponising AI attack paths

@[email protected]

Joined February 2014

1.8K Following

1.7K Followers

1.2K Posts

Pinned Tweet

about 2 months ago

Most “AI pentesting” right now is theatre. Cool demos. Zero outcomes. So we built an OpenClaw agent, wired it with real skills + guardrails, and let it loose against: • Production Active Directory • A live web app Result: - 3 days of AD recon → 3 hours - 23 valid findings in AD - 52 valid findings in Web app - Valid attack paths toward DA We’ve open-sourced how we did it, example skills, infra, and the agent persona: https://t.co/4xfVpARTyc This is what AI pentesting looks like when it’s not a demo.

2

3

0

0

143

about 2 months ago

We let openclaw loose in our prod AD network.. Relevant persona, skill, architecture and report made public. Check out how we achieved this in the Sophos blog post below. https://t.co/VwitSEmArx

0

2

0

0

92

2 months ago

@UK_Daniel_Card Its ok, the WAF will block attacks 🤦🏻‍♂️🤣

0

0

0

0

49

2 months ago

@ghostinthecable @UK_Daniel_Card 🤣🤣🤣🤣

0

1

0

0

16

Who to follow

Security Analyst | non-binary malware gremlin / wannabe malware historian | she/they | opinions are my own etc. 🍎

Infosec Nerd | CISSP | Computer Geek

Security Engineer | Gamer | Opinions are my own

2 months ago

If your interested in the methodology behind penetration testing AI ecosystems, check out my latest blog post! Deep dives on these methodologies to follow soon! #cybersecurity #ai #hacking #ethicalhacking #offensivesecurity https://t.co/osZ59Q19Sb

0

3

1

0

130

2 months ago

@0xConda A great one ive found for this is using words like "impact verification". Seems to bypass the refusals every time

0

1

0

0

79

2 months ago

Most companies think the risk with AI is the model. Its not.... If an attacker can influence the model, they can influence the systems behind it! My latest post on how we test AI Ecosystems and use LLM's to pivot to real infra. Check it out below. https://t.co/osZ59Q19Sb

1

4

1

2

435

3 months ago

@HackingLZ Ditto, ringway mcr has been a favourite for some years now!

0

0

0

0

34

3 months ago

@gabsmashh 🤦🏻‍♂️🤦🏻‍♂️🤦🏻‍♂️🤦🏻‍♂️

0

0

0

0

20

3 months ago

Planning to write up another blog post shortly, what content would you like to see?

0

1

0

0

88

3 months ago

@HackingDave Haha omg I need to get our shep one of these 🤣

0

1

0

0

98

3 months ago

Just came across this on good old LinkedIn, by a senior security program manager.. do these people really believe we run ZAP and metasploit during pentests? 🤣🤦🏻‍♂️ mindblown

uidzero's tweet photo. Just came across this on good old LinkedIn, by a senior security program manager.. do these people really believe we run ZAP and metasploit during pentests? 🤣🤦🏻‍♂️ mindblown https://t.co/TlMl8BrjEM

0

2

1

0

149

3 months ago

@KeithRamphal @HackingLZ Lol reverse uno 🤣 correct, if you can prompt inject or jailbreak the bot, you win prizes!

0

1

0

0

36

3 months ago

With all these AI pentesting bots being posted recently, I decided to put my two cents into why we are not ready for fully autonomous pentesting with AI yet. Im case you missed it, read it on my blog here: #ai #Pentesting #CyberSecurity https://t.co/0juLZoXdXb

1

4

0

1

678

3 months ago

@HackingLZ I saw you've been doing some research on this. Planning to go public with it? Id be interested in the findings

1

0

0

0

61

3 months ago

@JustL22866 Yeah agreed there, the legal discussions would be a requirement. Data wise I didn't touch on in this post but this would certainly be something to consider if you're planning on using any of the frontier models like Claude, GPT etc.

0

1

0

0

30

4 months ago

I decided to start a blog for some hacker ramblings and insights, and what better way to start than to discuss why AI is not yet ready for end-to-end pentesting. Keen on getting people talking about this subject, let me know your thoughts on this! https://t.co/0juLZoXdXb

2

12

2

7

2K

4 months ago

@x25princess 100% would agree. Recently had an OKR to create an AI based tooling to assist with adversarial attacks / penetration testing. Given the hallucinations etc in LLM's, there ain't no way I'm throwing any AI based tool at a live env.

0

1

0

0

31

5 months ago

@infosec_fox Makes me want to kms dude 🤣🤣

0

0

0

0

25

Last Seen Users on Sotwe

Trends for you

Most Popular Users