The Cyber Threat Perspective

AI agents can search the web, manipulate files, run commands, make API requests, access cloud platforms, and operate fully autonomously. They are powerful, they are here, and most organizations have no security controls around them whatsoever.
In this episode, Brad and Spencer break down the five major AI agent risk categories security teams need to understand right now, using Simon Willison's "lethal trifecta" as a framework and building on it with two additional risk areas they see in the field.
In this episode:
- What an AI agent actually is and why the definition matters before you can secure it
 - What AI agents are capable of: files, commands, APIs, memory, cloud access, and autonomous execution
 - The lethal trifecta: access to private data, exposure to untrusted content, and external communication
 - Risk category 1: Access to private data - why agents inherit your permissions and why that is dangerous
 - Risk category 2: Exposure to untrusted content and prompt injection attacks
 - Risk category 3: External communication and data exfiltration (including a real canary token experiment)
 - Risk category 4: Privileged access and limiting blast radius with least privilege identities
 - Risk category 5: Autonomous actions, approval gates, rate limits, and kill switches
 - Why backups, rollback plans, and recovery playbooks are more important than ever in an AI agent world
Resources mentioned:
- Simon Willison's lethal trifecta post (June 2025): https://simonwillison.net
- Zach Korman's ContinuumCon sandbox escape workshop: https://continuumcon.com/schedule/
- offsec.blog | securit360.com
Need a pen test before end of year? Q3 slots are filling up fast. 
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Think Active Directory is dead? Think again. According to Microsoft data, 86% of organizational workloads still touch Active Directory, and nearly 20% of organizations don't expect to reach a hybrid state for 10-20+ years. In this episode, Brad and Spencer break down why AD attack paths remain one of the most critical threats in enterprise environments and what defenders can do about it right now.

Spencer also previews his ContinuumCon workshop "Killing AD Attack Paths Once and For All" where he demonstrates how authentication policies and silos can eliminate an entire class of lateral movement attacks built into Windows and Active Directory.

In this episode:

- Why Active Directory is still alive, well, and heavily targeted
- What an Active Directory attack path is and how attackers use them
- The four prerequisites attackers need to abuse AD attack paths
- Real-world examples: Kerberos ticket theft, SCCM abuse, certificate misconfigurations, and misconfigured permissions
- Tools defenders should know: Bloodhound, PingCastle, Purple Knight, Locksmith, and ADelegator
- How to prioritize remediations based on ease of exploitation vs. impact
- Why retesting is the most overlooked step in any remediation cycle

Resources mentioned:

- Spencer's ContinuumCon Workshop (Fri. June 12, 10:30am PT / 1:30pm ET): https://continuumcon.com/schedule/
- Hybrid Identity Protection Podcast (Semperis): https://www.semperis.com/hybrid-identity-protection-podcast/
- Bloodhound CE: https://github.com/SpecterOps/BloodHound
- PingCastle: https://www.pingcastle.com
- Purple Knight: https://www.purple-knight.com
- Locksmith: https://github.com/TrimarcJake/Locksmith
- offsec.blog | securit360.com
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Security misconfiguration is one of the most frequently found vulnerabilities in web application pen testing — and most of the fixes are just a checkbox. In Part 2 of their OWASP Top 10 series, Brad Causey and Jordan Natter cover OWASP A05: Security Misconfiguration with real stories from recent engagements and practical takeaways for developers, security teams, and organizations of all sizes.
In this episode:
Hardcoded Active Directory credentials and API keys discovered in a public GitHub repo during a healthcare pen test
Default credentials (admin/1234) found on a clinical research app storing PHI
A rogue Apache basic auth panel that survived from dev into production
How verbose error handling and stack traces hand attackers a roadmap to your app
Why dev-to-production is the most dangerous transition in your app's lifecycle
The shift-left mindset and DevSecOps — empowering devs to ship secure code
How CIS lockdown guides can dramatically improve your security posture overnight
Resources mentioned:
OWASP Top 10: OWASP Top Ten Web Application Security Risks | OWASP Foundation
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
Ep. 182 – OWASP Top 10 Part 1: https://youtu.be/BwYJ-kZ3XaY
Need a web application pen test? Reach out: Offensive Security - SecurIT360
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Hosts Brad Causey and Spencer Alessi break down the 2026 Verizon Data Breach Investigations Report, focusing on the findings that actually matter for IT and security teams.
The biggest surprise: vulnerability exploitation has overtaken stolen credentials as the top initial access vector, accounting for 31% of attacks, while credential abuse dropped to just 13%. This completely flips the script on years of "identity is the new perimeter" thinking.
Topics covered include:
Vulnerability explosion and remediation crisis: Why there are too many vulnerabilities and not enough time for patching, with only 26% of CISA KEV vulnerabilities fully remediated (down from 38%)
The patching time paradox: Median remediation time increased from 32 days to 43 days despite organizations initially getting faster at patching from 2022-2024
Web application sprawl: How the push to cloud and SaaS has created massive attack surfaces organizations don't own and can't patch
The top 4 initial access vectors: Vulnerability exploitation, phishing, credential abuse, and pretexting
Ransomware economics shifting: 48% of breaches involved ransomware, but 69% of victims didn't pay and median payments dropped to $139,875
Mobile phishing success: Mobile-centric phishing had 40% higher success rates than email phishing as users get better at spotting email threats
Social engineering evolution: The human element appeared in 62% of breaches, with pretexting requiring different countermeasures than traditional phishing
Shadow AI explosion: 45% of employees are regular AI users on corporate devices (up from 15%), with 67% using non-corporate accounts
AI data exfiltration: Shadow AI is now the third most common non-malicious insider risk, with source code being the top data type leaked
MCP and IDE extension risks: Real-world examples including PocketOS having their entire production database deleted by Claude connected to a railway CLI MCP
Brad and Spencer emphasize that while the threat landscape is shifting dramatically, the fundamentals still matter. Organizations need to get comfortable with not being able to patch everything and focus on what matters most.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

We're re-releasing one of our most practical episodes this week — originally published November 2025, and still one of the best roadmap conversations we've had on the show.
Brad and Spencer share no-fluff advice for breaking into cybersecurity, whether you're switching careers, starting from scratch, or leveling up from a general IT role. They cover what employers actually look for, the fastest paths in, and what to skip.
If you're exploring a cybersecurity career, or know someone who is, this one's for you.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.