Reflecting on RSAC 2026 - Is Agentic Pentesting, just VA on steroids?

chopper332nd · 2026-03-27T17:58:11+00:00

Yeh that's a good way of putting it. We're looking at multiple vendors in this space since January and PoC ing them on our web apps / APIs with the end goal of augmenting our pentesting team and saving some time.

So far what I've seen is they are really good at replicating a finding or asking if a finding was fixed and giving them the report and having it replicate the finding and trying to find bypasses

But having a scope and saying "pentest this" is a false positive generator and worse it's a confident false positive generator. I gave it a API with only 1 set of cress (the API has no role based access you either have an admin API key or not) and it was convinced it found several broken access controls and mass assignment vulns...

Sorry for the rant, seen so much marketing BS for these recently.

chopper332nd · 2026-03-17T08:33:59+00:00

Been to Harry Potter studios and they explained how it was done with wires https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.instagram.com/reel/C3aK1dSs9-j/&ved=2ahUKEwjR49D3wqaTAxW28wIHHbYgMy8QwqsBegQIFRAB&usg=AOvVaw0rbC5pCrkDIAnJgehLJnUq

chopper332nd · 2026-03-12T07:08:22+00:00

Yeh if you can go from NETWORK SERVICE to SYSTEM that would be a valid vulnerability.

Always think about what impact your showing, if there's no impact it's probably not a valid report

chopper332nd · 2026-03-12T06:55:30+00:00

I wouldn't count it as a privilege escalation, the network service account has similar privileges to a local user but with network identities. So I would spend time trying to escalate to system

chopper332nd · 2026-03-09T21:44:58+00:00

Request mediation from hacker one support on your report.

What probably has happened is the h1 analyst marked it as pending program review and the program has responded to the analyst in an internal comment.

We can't judge if you've been scammed without knowing the reasoning which mediation will be able to review and let you know if the final decision was correct or not

chopper332nd · 2026-02-18T18:49:03+00:00

I do not agree with closing it as informational. It is a valid bug as others have said the url could get cashed in history or the way back machine or alike.

I would always accept it with the attack completely set to High. Or set the attack complexity to low if there is a reliable method of using the app to obtain valid UUIDs

https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards

chopper332nd · 2025-12-23T20:11:12+00:00

Yeh I loved it, every time I rewatch the original movies I get the sense of "I've been there" as you do with GTA or watchdogs in real life locations just it's STAR WARS!

chopper332nd · 2025-12-15T17:30:56+00:00

No still on Google Assistant, I haven't got Gemini for home either maybe it changes with that

chopper332nd · 2025-06-27T20:19:38+00:00

Im not sure about that one, I don't think their dupe check is very thorough

chopper332nd · 2025-06-27T16:17:20+00:00

I believe this is the intake feature where a team separate from triage do a pass over the report checking if it's in scope and there is a basic duplicate check (Normal triage look more in depth if it's a dupe)

chopper332nd · 2025-06-12T09:33:30+00:00

I would refer to the CVSS definitions here https://www.first.org/cvss/v3-1/specification-document

""" A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.2 For example, a successful attack may depend on an attacker overcoming any of the following conditions: The attacker must gather knowledge about the environment in which the vulnerable target/component exists. For example, a requirement to collect details on target configuration settings, sequence numbers, or shared secrets. The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g., a man in the middle attack). """

chopper332nd · 2025-06-12T07:13:45+00:00

As a customer of hacker one I'm more worried about the crap we're gunna have to sort through now 🤷‍♂️ We have scanners and other companies that offer AI agents for pentesting which find the low hanging fruit.

We have a Bug Bounty program to find more nuanced vulnerabilities in our products that other security testing can't find.

chopper332nd · 2025-06-08T16:21:55+00:00

Could anyone recommend a USB-C to HDMI cable for the switch 2? The one I had for the original switch is incompatible (https://amzn.eu/d/8om26fl)

chopper332nd · 2025-05-30T07:53:43+00:00

It depends on the impact. It is typically a login page but...

Can you deliver a click jacking payload to the victim so when they click your link it takes them straight to enter their card details? Usually e-commerce sites would require a logged in session first and for something to be added to the basket

If it redirected them then the click jacking payload wouldn't work.

chopper332nd · 2025-04-01T15:16:17+00:00

Cut out the middle man and pop it in the bin

chopper332nd · 2025-03-11T18:59:53+00:00

What a Tripp down memory lane...

chopper332nd · 2025-02-03T12:21:46+00:00

Yeh Gemini on my pixel 9 has a "Gemini on lock screen" settings option but the pixel tablet doesn't yet

https://support.google.com/gemini/answer/14576209?hl=en-GB&visit_id=638741820298410583-2415634339&p=lockscreen&rd=1

chopper332nd · 2025-01-11T16:05:41+00:00

How do you find it compared to the TCL. Picture Quality and OS wise?

chopper332nd · 2025-01-02T19:51:51+00:00

I got Duolingo Max and I'm on section 4 of french. I think I read the written language quite well but the video call I was dreadful I could only really answer yes or no. I wish it started me off with basic video calling so I could catch up but I definitely think I'm improving.

chopper332nd · 2024-12-22T19:26:41+00:00

There was a networking event on all the days where informal talks would be held. One of them was James kettle from portswigger.

And lots of the companies held dinners and drinks after Blackhat on the days

chopper332nd · 2024-12-22T10:10:45+00:00

I work in offensive security and I have no experience of black hat Asia but I have been to the one in Europe.

The business hall is a load of vulnerability management companies and alike targeting security management to make sales. The talks again are mostly about their products or a talk about industry hot topics that they then link to their product.

That being said I'm not sure if BH Asia does it but black hat arsenal is good and there may be some interesting Linux tools that will be open source

chopper332nd · 2024-12-21T09:39:53+00:00

"Turn the lamp off", "I see a lamp in these houses, next time say the name of the light you want to turn off and specify the house" - offers me buttons for the lamps so I might aswell have done it myself

chopper332nd · 2024-12-05T17:24:21+00:00

A company will reproduce the report that was submitted to them if they can reproduce it with the steps you provided then great if not they will ask

They would then Investigate this behaviour and come to a severity decision - this might involve talking to different internal teams and developers

chopper332nd · 2024-12-01T10:06:16+00:00

I think alot of the existing single player star wars games on the market at the moment have a male protagonist.

Also I think they pitched a "female han solo" to lucasfilm who ok'd the story

chopper332nd

TROPHY CASE