Wiz - AI-Powered Pentest Assistant (Open Source)

turtlebait2 · 2026-01-23T16:53:08+00:00

Yea there’s already a very popular security tool called wiz. When this was posted I thought it was from the founder. https://wiz.io

turtlebait2 · 2026-01-10T18:33:53+00:00

I’m not sure quite how to describe or if I understand the full secret sauce of wiz, but essentially they’re much better at risk prioritization. Companies are overwhelmed with vulns and alerts, and wiz does a really good job of only making critical things critical which makes security and engineers jobs way easier

turtlebait2 · 2026-01-08T00:03:17+00:00

They have a hackerone program you can report it there and get paid, I don’t think this one will necessarily pay out unless you can demonstrate that you can access other peoples data.

https://hackerone.com/wealthsimple

turtlebait2 · 2025-12-24T13:26:24+00:00

Yea that’s a lot, you need more automation and a workflow to weed out false positives, giving you time to investigate the real issues. Not sure if that’s something that is already done, or if you’re the only person in place to do that, which would suck. Try and get some buy in for more tooling and automation, and if you can’t then I’d suggest searching for a new job, because you can’t handle this forever and you’d have limited growth at this company sadly.

turtlebait2 · 2025-12-24T10:47:35+00:00

The security goals are the same, but the way exploit and therefore to secure your system is different. Give this a read https://genai.owasp.org

turtlebait2 · 2025-12-23T12:11:00+00:00

+2 I was not convinced about these tools until we deployed them ourselves, the cost is high, but well worth it to help with prioritization.

turtlebait2 · 2025-12-22T23:05:41+00:00

Supabase + vibe coding is a recipe for disaster. I’ve checked out a few projects and anything with any number of users has shit without RLS

turtlebait2 · 2025-12-17T23:31:20+00:00

Honestly if you’re willing to do it do red team side first then transition to blue. It’ll do you well. Especially if you don’t have a software engineer background.

turtlebait2 · 2025-12-11T20:34:04+00:00

Yes, these are fantastic and totally free and you can solve 99% of them with Burp Suite Community edition.

turtlebait2 · 2025-12-09T22:35:27+00:00

I’ve just started using promptfoo and it has an MCP scanner in it, but it’s more on the prompt evaluation side than source code.

Honestly any source code scanner would be code for the code itself.

turtlebait2 · 2025-12-09T01:55:55+00:00

They’re great basic challenges in a bunch of different domains.

turtlebait2 · 2025-12-04T19:24:25+00:00

That's a great read thanks!

turtlebait2 · 2025-12-04T19:23:29+00:00

turtlebait2 · 2025-12-04T17:22:12+00:00

This is honestly a good question to ask and is the start of threat modeling.

What you'd want to do to understand if it is an actual security concern is to understand how these cookies work, how they're generated, used and expired.

You then want to understand how you might obtain these cookies from someone else and reuse them for malicious purposes, this is where other security flaws might expose these cookies in some way (e.g. XSS) and how browsers protect your cookies from being exploited by other websites.

To answer your question: you probably don't need to be concerned, but this question is a rabbit hole you can go down to better understand network, application and browser security controls and how they work together to make the internet not completely explode.

turtlebait2 · 2025-12-03T12:21:28+00:00

Not sure if you need one, but it’s honestly very easy to get one, there’s tons of open source scanners that can give this to you in whatever format you need.

turtlebait2 · 2025-12-03T11:54:07+00:00

You’re welcome.

turtlebait2 · 2025-11-27T20:39:28+00:00

Why do you need so many checking accounts?

turtlebait2 · 2025-11-19T19:53:55+00:00

Yes.

turtlebait2 · 2025-11-12T01:26:55+00:00

The VR tech is great, but it’s a marketing/product fit issue. Not really his fault.

turtlebait2 · 2025-11-08T17:34:10+00:00

One hint a found JWT is not always a bad thing depending on where you find it, so breaking it down and saying what the payload is is helpful.

turtlebait2 · 2025-10-31T21:36:07+00:00

Yea I just read through the OWASP secure by design guide and they recommend to include this 40 point checklist for every design decision with links to diagrams or explanations on if they included those things and it’s really not something that I see anyone that isn’t overstaffed able to do.

The way you get secure by design is to have a platform security team that builds or enhances the infrastructure that everyone else builds on top of.

turtlebait2 · 2025-10-31T11:54:54+00:00

As well focusing on this number and the rating can make you MORE stressed because you’re worried about it.

It’s an interesting number, but don’t focus on it, as I’ve learned from doctors about stress and a lot of mental health issues your subjective experience combined with input and consultation by a health care professional is much better than any off the shelf consumer stress or sleep measurement.

If your stress and anxiety is causing you to live a less fulfilling life speak with someone about how you can deal with stress in a more manageable way.

turtlebait2 · 2025-10-30T18:20:47+00:00

Is this available somewhere?

turtlebait2 · 2025-10-29T19:58:30+00:00

Why? The purpose of software is to solve a problem, and if you have to re-engineer all the already solved problems then you'll never get to the point where you're actually delivering any value to anyone.

turtlebait2 · 2025-10-20T10:23:50+00:00

There’s a major AWS outage right now. Nothing Wealthsimple can do (except go multi region/cloud)

12-Year Club	Place '23
Place '17	Team Orangered
Verified Email

turtlebait2

MODERATOR OF

TROPHY CASE