In Episode 177 of the Cyber Threat Perspective podcast, host Brad Causey and virtual CISO Daniel Perkins take a clear-eyed look at Claude Mythos — Anthropic's AI model that's generating serious buzz in the cybersecurity world for its ability to analyze source code, identify vulnerabilities at scale, build working exploits, and surface flaws that have sat undetected for decades.

The cybersecurity community is reacting. Brad and Daniel think a more measured response is warranted.

This episode breaks down what Mythos actually is, what it actually did, and what it actually means for your security program — without the hype or the hand-waving.

Topics covered include:

• What Mythos really is — a purpose-built code analysis model, not a hacker-in-a-box or AI overlord, and why that distinction matters
• The BSD vulnerability reality check — it cost $20,000 to find a 20-year-old DOS flaw in software almost nobody uses, and what that tells us about the real-world economics of AI-driven vulnerability discovery
• Speed, not net-new — why Mythos hasn't introduced anything fundamentally new to the threat landscape, just compressed the timeline dramatically
• Vulnerability chaining — how Mythos could change triage by identifying how low and medium severity CVEs combine into critical attack paths
• The vibe coding problem — why organizations that have never written code before are now writing a lot of it, and why that's where Mythos becomes genuinely important
• What this means for pen testing — why AI finding code flaws doesn't replace the human-driven validation of security programs, business logic testing, and misconfiguration discovery
• The shift to continuous vulnerability management — why monthly or quarterly scanning cycles won't be sufficient once Mythos capabilities proliferate, and how to make the move to continuous without going big bang
• The Mythos-Ready framework — a look at the CSA guidance document, what's useful, what needs to be scaled to your organization, and why inventory and attack surface should come before governance for most teams
• Supply chain and third-party risk — how Mythos changes the questions you should be asking your software vendors

The bottom line from Brad and Daniel: be responsive, not reactive. Tighten your patching SLAs, understand your attack surface, document your decisions, and execute the fundamentals well. The organizations that do that won't be caught flat-footed when this becomes mainstream.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 176 of the Cyber Threat Perspective podcast, Brad and Spencer break down some of the most repeated cybersecurity best practices in the industry and explain why, despite sounding solid on paper, they consistently fall short in real IT environments.

This isn't about dismissing good security principles. It's about closing the gap between advice that looks great in a framework and controls that actually hold up against how attackers operate.

Topics covered include:

• "Just enable MFA everywhere" — why focusing only on RDP leaves SMB, WinRM, service accounts, and legacy protocols wide open
• "EDR will catch it" — the danger of over-relying on a single control, including a little-known CrowdStrike behavior where it self-disables on domain controllers at 90% resource utilization — often completely unnoticed
• "Patch everything immediately" — why blind speed creates its own operational risk, and how to build a prioritized, high-risk patching process that actually works
• "Least privilege everywhere" — why removing permissions without providing alternatives drives workarounds, shared accounts, and exceptions that undo the whole point
• "Follow the framework and you're secure" — why compliance is a starting point, not a finish line, and what most standards actually require vs. what actually reduces risk
• Focusing on attack paths over checklists — why thinking like an attacker leads to better security decisions than ticking boxes

Brad and Spencer close with what actually works: context-driven decisions, management buy-in, clear communication when making sweeping changes, and validating every control through internal penetration testing. As Spencer notes, most clients don't have full confidence in their EDR and SOC after a pentest — and that's exactly why trust but verify matters.

Also mentioned: Spencer and Brad's upcoming Tools of the Trade workshop at the ILTA Evolve conference in Denver.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 175, Spencer and Tyler break down NetTools — a free, self-contained Active Directory management and troubleshooting tool that’s become a go-to for their internal penetration testing engagements.

They start with the backstory: years of relying on AD Explorer from Microsoft Sysinternals, and the growing need to evade EDR detections. At one point, that meant manually obfuscating binaries with a hex editor. NetTools eliminates that friction entirely — no installation, no dependencies, no signatures to fight.

Topics covered include:

• Why NetTools replaced AD Explorer and how EDR pressure forced the shift
• Group Policy enumeration, including how to spot dangerous GPO permissions like authenticated users with write access to server OUs
• LDAP Search & Browser for querying AD, identifying risky data (like passwords in descriptions), and exploring object relationships
• Assigned Trustees & Permissions Reporter for fast, visual identification of misconfigurations
• How to run NetTools from non-domain-joined machines using saved credential profiles
• Password checker functionality for targeted validation without spraying the environment

For pentesters, it’s a faster way to get visibility into AD risk. For IT admins, it’s a practical way to audit and harden your environment.

NetTools combines the functionality of multiple tools into one portable utility. Learn more at nettools.net. Credit to creator Gary Reynolds.

NetTools | The Swiss army knife of AD troubleshooting

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 174, host Brad Causey is joined by guest Jordan Natter for a practical, tool-focused conversation on web application penetration testing. Together they break down the essential tools and Burp Suite Pro extensions that make up a modern web app pen testing toolkit.

Topics covered include:

• Burp Suite Pro vs. OWASP ZAP — comparing capabilities, extensions, and use cases
• CSP Auditor — identifying unsafe Content Security Policy directives
• JSON Web Token (JWT) extension — surfacing and tampering with JWTs in HTTP history
• Retire.js — flagging outdated JavaScript libraries with known vulnerabilities
• CyberChef & JWT.io — encoding, decoding, and debugging tokens
• Postman & Swagger — API testing and documentation workflows
• SQLMap — powerful SQL injection discovery (and why you should never run it in production)
• Proxy Forge — evading cloud-based WAFs and testing geo-blocking
• GraphQL Hunter — enumerating and testing GraphQL instances

Have a tool or extension you swear by? Drop it in the comments — Brad and Jordan want to hear from you!

---

Burp Suite is an integrated platform for attacking web applications. http://portswigger.net/burp/

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

How do you find insecure permissions in Active Directory before they turn into attack paths?

In this episode, we take a practical look at how to identify insecure Active Directory permissions using ADeleg, a free security tool trusted by penetration testers.

Misconfigured delegation and overly permissive access rights are a common source of risk in Active Directory environments. These gaps can create hidden attack paths—but many teams don’t know where to look or how to interpret what they’re seeing.

In this episode, we cover:

• How to identify insecure permissions in Active Directory
• What to look for in high-risk users and groups like Domain Users, Everyone, and Authenticated Users
• How these misconfigurations translate into real-world attack paths
• How to use ADeleg to analyze delegated permissions and uncover hidden risk

We also include a reference to ADeleginator, a related tool that can help automate parts of this process using PowerShell. While this episode focuses on hands-on analysis with ADeleg, ADeleginator is a useful companion for scaling this work.

Tools referenced:

ADeleg: https://github.com/mtth-bfft/adeleg

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Hey folks! Greetings from the Offensive Security group at SecurIT360. Brad & Spencer are on this episode of The Cyber Threat Perspective to break down The Biggest Security Blind Spots in Mid-Size Companies.

In this episode, we expose the most common (and dangerous) gaps that leave mid-sized organizations wide open: poor asset inventory, flat networks, flat identities, overconfidence in security tools, credential reuse, and the emerging risks with AI.

If any of these hit home, go to offsec.blog/pentesting, fill out the form on our website, and see if we’re a fit for you.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Pentesting is quickly evolving with the integration of AI, fundamentally changing how cybersecurity professionals approach their work. In this episode, Spencer and Brad discuss the real shifts they’re seeing in the industry and what the future may look like.

• The pivotal changes in AI that have impacted pentesting over the past year
• The emergence of agents, orchestration, and single-pane-of-glass platforms for streamlined operations
• How AI is enabling rapid tool creation, customization, and administrative efficiency
• The effect of AI on skillsets, closing the gap between junior and senior pentesters
• Why human expertise remains irreplaceable despite advancements in AI-driven tools

Tune in to hear straight-forward perspectives on the future of pentesting and actionable insights for professionals looking to stay ahead.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this episode, we break down the biggest insights from the CrowdStrike 2026 Global Threat Report and what they actually mean for IT leaders, security teams, and executives. From attackers abusing trusted identities and bypassing security tools to exploiting edge infrastructure and leveraging AI to move faster than ever, the modern threat landscape is shifting in ways many organizations aren’t prepared for.

https://www.crowdstrike.com/en-us/global-threat-report/

https://mhaggis.github.io/ClickGrab/

Episode 164: Offensive Security in the Age of AI - What Has...

Episode 155: How We Use AI Offensively - Offensive Security Blog - SecurIT360

Episode 146: What Are The Security Implications of AI -...

Episode 144: How Cyber Threat Actors Are Using AI -...

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In this episode, we’re digging into malicious browser extensions...the quiet, often overlooked attack vector living inside nearly every organization. While we focus on patching servers, hardening Active Directory, and deploying EDR, attackers are increasingly abusing the browser as their initial foothold. We’ll break down how these extensions work, why they’re so dangerous, and what IT leaders can realistically do about it.

Check out these resources:

Annex - Enterprise Software Extension Security & Management

https://crxaminer.tech/

https://x.com/tuckner

https://x.com/IceSolst

[email protected]

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Brad and Jordan talk bout web app pen testing, why you might need it, and why other forms of app sec might not be good enough.

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.