No-Slop Research & Human Thoughts on Security

No-Slop Research & Human Thoughts on Security

Latest — 08 Mar 2026

The San Francisco Consensus

Last week at the [un]prompted conference in San Francisco, the question on everyone's mind was What happens when Time-to-Exploit reaches zero? The Problem, As Told By The Clock The Zero Day clock project shows a single, collapsing trendline. In 2018, the median time between a vulnerability being

More issues

You are the Blackboard - AI Agent Assisted Bug Hunting

In vulnerability and CVE hunting, you have a search space problem. Your attack surface is seemingly unlimited, so much so that target selection is often considered the most important skill of a bug bounty hunter. In this article, I'll recount the process I used to narrow the search

GCP IAM 201 - OAuth Scopes

In the OAuth 2.0 specification, a scope defines the limits of an access token. When applied to Google APIs, a scope specifies which APIs and resources the token can access. If you only take away one thing about OAuth 2.0 Scopes for Google APIs, it is: do not

Working as Intended - The Unauditable, Unmanageable Keys in Google Cloud

This blog outlines three vulnerabilities with user-associated HMAC keys in Google Cloud. Vulnerability #1 - Insufficient Logging Vulnerability #2 - Unmanagable Long-Term Credentials Vulnerability #3 - Unauditable Long-Term Credentials TLDR; * HMAC keys serve a practical purpose. They can be used to create Sigv4 signed headers used to authenticate against the

GCP IAM 201 - Service Agents | What Can Go Wrong

This post aims to answer the question, 'What can go wrong when using Google Cloud services that leverage Service Agents/P4SAs?' For an introduction to Service Agents, see GCP IAM 201 - Service Agents. Below, you'll find an overview of possible threats to Google Cloud customers

GCP IAM 201 - Service Agents

Service Agents are nothing more than a type of a Service Account. Also known as a P4SA (Per-Project, Per-Product; Service Account), a Service Agent is typically created automatically whenever its associated Google API is enabled in a Project. Service Agent and Service Account Comparison Customer-managed SAs Google-managed SAs Colloquially called:

How I Prep for Talks – and You Can Too!

Recently, a friend admitted to me they were resorting to a 'Hail Mary' approach for their upcoming talk, scribbling notes on notecards like a nervous high school student. "But no! That's actually a pro move," I assured them, not just a desperate scramble to

GCP IAM 101 Series

The GCP IAM 101 series is intended to give a brief, succinct overview of essential Google Cloud authorization concepts, answering questions like 'How does Alice gain access to the Bucket?' These pages are the TLDR; for Google Cloud IAM, supplemented with links to official, more verbose Google documentation

Attacks as a Service with The DeRF

Leverage The DeRF for attacker simulations, validating security controls or enhancing cloud detection capabilities. DeRF (Detection Replay Framework) is an "Attacks As A Service" framework, allowing the emulation of offensive techniques and generation of repeatable detection samples in the cloud. Built on Google Workflows The DeRF is open-source

Rethinking Your Threat Models for the Cloud

The cloud has scrambled the context defenders are accustomed to leaning on for understanding the attack surface. No longer do attackers move along a linear network-plane, from one asset to another where visibility can be traced at a predictable layer in the network stack. In the cloud, every move an

About

No-Slop Research & Human Thoughts on Security

Thoughts, stories and ideas from a human in cloud and identity security research.

Topics

101

201

ai

aws

gcp

musings

research

vuln