TrustedSec

<p>It's that feeling of your nerves being stretched like sinew over mounting expectations and due dates. When your attention keeps an exhausted but stubborn focus on an ever-shifting goal because there is always one more…</p>

<p>Many DoD contractors are struggling to understand what requirements will apply to them once CMMC rolls out. CMMC defines three levels, but CMMC Level 2 may allow a self-assessment or may require a third-party…</p>

<p>Implementing CMMC and other Controlled Unclassified Information (CUI) protection obligations depends on the accurate identification of CUI, and in some cases also depends on the identification of the CUI categories and…</p>

<p>Defense subcontractors may already be seeing CMMC clauses in their contracts, even though the CMMC contracting procedures and contract clause have yet to be finalized (as of this post in August 2025). However, the…</p>

<p>Plenty of people know how to toss an IP address and port list into Excel for sorting and searching but don’t get a chance to take it to a deeper level. Excel pivot tables are a great next step to explore, offering a…</p>

<p>We have arrived at our final stage of metamorphosis, taking our pupa and morphing it into a hacking machine. Let's finish this journey. Geared Up Pupa In the first blog, we took various MaxiProx builds and attempted to…</p>

<p>Understanding the Value of Findings Clients Often QuestionIn some report readouts, we may encounter situations where a client looks at a web application report and asks, “Why are you even reporting that?” This blog…</p>

<p>Attackers are getting increasingly creative—not just with their payloads, but with how they deliver and operate them. In a recent Incident Response engagement, TrustedSec investigated a case involving an attacker who…</p>

<p>Organizations in the health care sector and those that work with it often hear about HIPAA, HITECH, and HITRUST compliance but may not understand what they all are and what they have to do with each other. This post…</p>

<p>The Azure Front Door Web Application Firewall (WAF) has an "IP restriction" option that can be bypassed with the inclusion of an HTTP header. What's worse? This is actually expected behavior. Figure 1 - WHY???…</p>

<p>While digging into the internals of my new Lenovo ThinkPad P1 Gen7, I came across an unexpected discovery that quickly escalated from curiosity to a viable privilege escalation vulnerability.  Every day at exactly…</p>

<p>In this post, we’ll be exploring a practical technique for abusing Chrome Remote Desktop (also known as Google Remote Desktop) within a Red Team operation. I sometimes find myself needing to use legitimate software to…</p>

<p>As a Senior Security Consultant and National Institute of Standards and Technology (NIST) expert, the question I get asked the most is, how do we compare scores and maturity ratings from version 1.1 to version 2.0?…</p>

<p>Take a closer look at JWT signature verification using X.509 headers as we walk through an attack and demonstrate a Burp extension to exploit a known vulnerability by targeting two headers used in some JWT setups.</p>

<p>Figure 1 - We take our work very seriously. Capturing Hashes with DragonHashChromium-based browsers have an odd feature set that allows extensive drag-and-drop capabilities in the browser. This feature is not only…</p>

<p>In this post, we are going to look at how we can find zero-days in .NET assemblies using Model Context Protocol (MCP).SetupBefore we can start vibe hacking, we need an MCP that will allow Claude to disassemble .NET…</p>

<p>Mobile devices are a must have in today’s world for communication. With that being said, these devices do come with some risks when it comes to personal data. Common mobile device threat vectors include various attack…</p>

<p>Another year, another vuln…It's that time again.Last year I disclosed the existence of GraphNinja - a (now fixed) vulnerability in Azure where you could password spray and remain undetected. Well, the Ghost of…</p>

<p>As AI evolves with MCP, can a new “dog” learn old tricks? In this blog, we test Claude AI’s ability to craft phishing pretexts—and just how much effort it takes to pull them off.</p>

<p>Penetration testing is not a commodity service. If you are a procurer of penetration tests and have ever received wildly different quotes for the "same" engagement, you've likely encountered this issue at some point.…</p>