No-Slop Research & Human Thoughts on Security

No-Slop Research & Human Thoughts on Security

Latest — 31 Mar 2026

Can we afford to get lost anymore? Can we afford not to?

I remember life before phones and Google Maps. Even before MapQuest, we all used to get lost a lot more. Back then, I’d stop at random gas stations to ask for directions, and my knowledge of highways, city streets, and far-flung roadways was actually pretty decent. But of course,

More issues

The San Francisco Consensus

Last week at the [un]prompted conference in San Francisco, the question on everyone's mind was: What happens when Time-to-Exploit reaches zero? The Problem, As Told By The Clock The Zero Day clock project shows a single, collapsing trendline. In 2018, the median time between a vulnerability being

You are the Blackboard - AI Agent Assisted Bug Hunting

In vulnerability and CVE hunting, you have a search space problem. Your attack surface is seemingly unlimited, so much so that target selection is often considered the most important skill of a bug bounty hunter. In this article, I'll recount the process I used to narrow the search

GCP IAM 201 - OAuth Scopes

In the OAuth 2.0 specification, a scope defines the limits of an access token. When applied to Google APIs, a scope specifies which APIs and resources the token can access. If you only take away one thing about OAuth 2.0 Scopes for Google APIs, it is: do not

Working as Intended - The Unauditable, Unmanageable Keys in Google Cloud

This blog outlines three vulnerabilities with user-associated HMAC keys in Google Cloud. Vulnerability #1 - Insufficient Logging Vulnerability #2 - Unmanagable Long-Term Credentials Vulnerability #3 - Unauditable Long-Term Credentials TLDR; * HMAC keys serve a practical purpose. They can be used to create Sigv4 signed headers used to authenticate against the

GCP IAM 201 - Service Agents | What Can Go Wrong

This post aims to answer the question, 'What can go wrong when using Google Cloud services that leverage Service Agents/P4SAs?' For an introduction to Service Agents, see GCP IAM 201 - Service Agents. Below, you'll find an overview of possible threats to Google Cloud customers

GCP IAM 201 - Service Agents

Service Agents are nothing more than a type of a Service Account. Also known as a P4SA (Per-Project, Per-Product; Service Account), a Service Agent is typically created automatically whenever its associated Google API is enabled in a Project. Service Agent and Service Account Comparison Customer-managed SAs Google-managed SAs Colloquially called:

How I Prep for Talks – and You Can Too!

Recently, a friend admitted to me they were resorting to a 'Hail Mary' approach for their upcoming talk, scribbling notes on notecards like a nervous high school student. "But no! That's actually a pro move," I assured them, not just a desperate scramble to

GCP IAM 101 Series

The GCP IAM 101 series is intended to give a brief, succinct overview of essential Google Cloud authorization concepts, answering questions like 'How does Alice gain access to the Bucket?' These pages are the TLDR; for Google Cloud IAM, supplemented with links to official, more verbose Google documentation

Attacks as a Service with The DeRF

Leverage The DeRF for attacker simulations, validating security controls or enhancing cloud detection capabilities. DeRF (Detection Replay Framework) is an "Attacks As A Service" framework, allowing the emulation of offensive techniques and generation of repeatable detection samples in the cloud. Built on Google Workflows The DeRF is open-source

About

No-Slop Research & Human Thoughts on Security

Thoughts, stories and ideas from a human in cloud and identity security research.

Topics

101

201

ai

aws

gcp

musings

research

vuln