Layered defence buys time. The probability of all layers having an exploitable vuln by the same TA is negligibe. Also easier said than done since the industry doesn't consciously apply layers of a different nature, vendor and a sufficient count across their infra.
Very fulfilling to see deep engineering, security rollout and developer experience considerations being appreciated by a customer. Another 5-star G2 review has come through. ⭐⭐⭐⭐⭐
.. from Rui Duarte and Gui Neto who tested this in a live environment. These are the people the UK needs to spur the industry at events such as the upcoming UK Cyber Flywheel by Harmonic. I'll be there.
[1] research.google/blog/safegua...
[2] arxiv.org/abs/2603.28627
#BuildingtheUKFlywheel
multiple packets, on some occasions, had to be aggregated for proper validation and sanitisation.
This broke the whole per-packet processing model of our egress firewall. Anyway, we got that done over two weeks with clever logic (thanks to some #Rust guarantees) and the immense patience and help ..
... enablement.
Now that the literature has come out on Quantum apocalypse timelines [1,2], I am no longer thinking all that hard work was in vain. The hard work was that a PQC handshake takes TLS ClientHello messages over the network/VPC MTU (usually 1460 or 1500 bytes). This meant that ...
I was mighty upset with Google on 12 Feb. We had discovered that the issue affecting egress filtering for a DiscrimiNAT customer on GCP was in fact Post-Quantum Cryptography TLS handshakes. It was a combination of the most up-to-date OpenSSL version in a container image and server-side #PQC ...
We've implemented #PQC TLS properly where Kyber cipher exchange spans multiple packets > MTU. The aggregated ClientHello is tested for conformance, and not packets individually as some cloud 1p firewalls have advised Suricata rules to be formed 🔍. Safe egressing with AI Agents 🤞
tens of thousands of UK/London startups will change their address from 86-90 Paul Street to 66 Paul Street 😅 IYKYK
#hoxtonmix
I am always pleasantly astonished at the quality of talent Cambridge has. It's a privilege to be among this crowd.
We've locked in dates and venues for the North American (NA) and European (EU) fwd:cloudsec conferences this year!
fwd:cloudsec NA will be in the Seattle, Washington area at the Meydenbauer Center in Bellevue on June 1 and 2. 🧵
An example of cyber offence working with/for kinetic forces, perhaps. Next step is to defend in the digital battlefield from a possible retaliation.
www.politico.com/news/2026/01...
"On March 1, 2026, we are introducing a new $0.002 per-minute GitHub Actions cloud platform charge that will apply to self-hosted runner usage." 🤯
First, congratulations and well-deserved.
Second, if anyone hasn’t read this, it’s a hoot and worth your time.
I have to say Eldon Sprickerhoff's Committed has filled some critical gaps I didn't know I had. The book is also non-repetitive, has short-length chapters and to-the-point.
www.goodreads.com/book/show/21...
Rust solves many problems we see in #cybersecurity at compile time. This choice reduces countless patching vulns, eases the load on security teams and increases the SNR for defensive products. Join us in #Cambridge for a deep dive into use of Rust for software you can trust 🧵
We dug deeper into data & telemetry sent #outbound by #Cursor, #Claude, #Copilot and 4 other agent editors, so you can make an informed choice. With the IOCs revealed, you can also monitor for shadow IT usage of these in your corporate/cloud networks.
chasersystems.com/blog/what-da...
I hired a director recently and this was my screening question: can you please explain the difference between public-key and symmetric-key cryptography.
Virtually all the candidates, who universally claimed security engineering expertise of some kind (some cryptography-related) could not. At all.
Solid work done by the team 💪. If you use agentic editors in your work, this is a must read. Only took two months of research.
...@chasersystems.bsky.social to focus on building detections for TTPs etc in the red and yellow parts, and developer experience to manage allowlists of the green part.
[1] detect-respond.blogspot.com/2013/03/the-...
The Pyramid of Pain [1] from over a decade ago is still 🎯. Block TTPs, Tools and Artifacts if you can detect them. Allow only trusted Domain Names and IP Addresses, in an otherwise default deny mode. Hashes just contribute to climate change. This graphic helps me at...
"Aston Martin now able to ship cars to US at lower tariff rate without hitting quota limit following JLR hack" 🤦
you couldn't make this up
www.ft.com/content/c08f...
More stock is on the way. Looks like we can keep this offer open for another week.
"The result is that there is often an inverse correlation between the size of an organization and how rapidly it installs patches." 💯
www.cs.columbia.edu/~smb/blog/20...
11:48 PM PDT Oct 19 ➡ 12:38 AM Oct 20 = 50 minutes. That's how long AWS took to "our engineers had identified DynamoDB’s DNS state as the source of the outage".
This is impressive, and evidence of "tribal knowledge" NOT having departed. IYKYK.
I only wish they used UTC 🇬🇧
I use openrouter·ai and agent Roo in vscode for exactly this. Can change the model per prompt in each step of the agent.
These were in solid demand at our @fwdcloudsec.org booth earlier this year and we couldn't help but spread the love among AWS users today. Get yours in the post. #us_east_1 #dns (GCP, Azure, etc peeps can also fill the form 😛 )
It's always DNS.
Or us-east-1.
