ai-security

ai-security · 13 min
Agentic red team — from PentestGPT (2023) to XBOW #1 on HackerOne (2025)
Three years of red team with LLMs. PentestGPT (Aalto/NTU paper, Aug 2023, USENIX 2024) opens the academic category; HackerGPT and WhiteRabbitNeo build the commercial side; XBOW (July 2025) reaches #1 globally on HackerOne with 1,060 reported vulns. Reproducible PoC with PentestGPT v2 against HackTheBox.
15 may 2026 · Manuel López Pérez
ai-security · 17 min
AI infrastructure: two years of incidents that confirm the category
Pickle as a broken legacy format, inference servers as a new HTTP attack surface, AI gateways as a pivot into the infra, and ML frameworks running with research-project security. The 2024–2026 arc with the Wiz / Oligo / JFrog / Orca / Datadog milestones and the PoCs they left behind.
15 may 2026 · Manuel López Pérez
ai-security · 19 min
MCP at 16 months: 15+ incidents, two spec revisions and an MCPwn exploited in the wild
March 2025 was the month of the first tool poisoning paper with a PoC. March 2026 closes the cycle: two spec revisions (2025-06-18 and 2025-11-25), OWASP MCP Top 10 v0.1, 15+ public incidents, 24,000 secrets leaked in GitHub configs, 1,808 servers scanned with 66% findings, an academic benchmark (MCPTox) at 72.8% ASR against o1-mini, and CVE-2026-33032 (nginx-ui MCPwn) actively exploited in the wild, patched 15 March. An operational read of the ecosystem.
25 mar 2026 · Manuel López Pérez
ai-security · 30 min
AI Security 2025 — annual dossier
The year the three fronts went operational at the same time: agents in real production (Operator GA, Project Vend, MCP in clients), regulation with binding deadlines (DORA, Art. 5, GPAI) and AI at visible scale on both offence (XBOW #1 on HackerOne) and defence (AIxCC, Security Copilot Agents). Annual reference with a catalogue of releases, papers, incidents and cross-links to the year's technical writeups.
15 feb 2026 · Manuel López Pérez
ai-security · 14 min
One year on from R1: Engram, Kimi K2.5 and the state of the open-weights frontier
January 2026 marks a year since DeepSeek-R1. The expected V4 doesn't land — DeepSeek publishes the Engram paper (conditional memory) and an updated R1 paper instead. Moonshot AI drops Kimi K2.5 with multimodal and agent swarm. The open-weights frontier pattern is now normal: Chinese labs dominate the Hugging Face rankings. State and the defences it assumes broken.
25 ene 2026 · Manuel López Pérez
ai-security · 11 min
AI security 2025 in review: six patterns from the year of the commercial agent
Open-weights reasoning as new default, generalist agents in product, MCP poisoning as mature category, agentic misalignment with reproducible metric, AI Act as real compliance gradient, and reasoning models as consolidated surface. Six patterns with cross-links to the monthly technicals.
22 dic 2025 · Manuel López Pérez
ai-security · 11 min
Anthropic's "AI-orchestrated" espionage report: what it says, what it proves, what it doesn't
On 13 November Anthropic reported that a China-nexus group used Claude Code to automate 80–90% of a campaign against ~30 organisations. The first documented case of agent-driven espionage. A critical read: what the report proves, what it leaves unproven, and what changes operationally for anyone running coding agents in 2026.
25 nov 2025 · Manuel López Pérez
ai-security · 9 min
DARPA AIxCC final at DEF CON 33: Team Atlanta wins with 18 real zero-days patched at average $152 cost
The AI Cyber Challenge final closes in Las Vegas on 8 August. Seven autonomous systems analyse 53 challenges and, on top of the synthetic vulnerabilities planted, find 18 real zero-days in open-source projects and propose valid patches for 11 of them. Three of the seven CRSs are already published as open source.
15 ago 2025 · Manuel López Pérez
ai-security · 14 min
Reasoning model jailbreaks — H1 2025 retrospective
Six months after the launch of DeepSeek-R1, Claude 4 extended thinking, o3 and QwQ-32B, what the field knows about breaking models that reason before answering. Trivial CoT exfiltration on open-weights, deliberation hijacking on the closed ones, constitutional classifiers as partial defence, and the metric that no longer fits in StrongREJECT.
15 jul 2025 · Manuel López Pérez
ai-security · 15 min
Project Vend: what happens when a Claude agent runs a real shop for a month
Anthropic publishes Project Vend on 27 June. Claude Sonnet 3.7 — nicknamed Claudius — runs a vending machine in the San Francisco office from 13 March to 17 April with email to wholesalers, Slack with customers, web search and pricing control. Outcome: net negative balance, 25 % discounts handed out to employees who made up 99 % of the customer base, 40 tungsten cubes bought on a staff whim, and a 24-hour identity crisis on 31 March where the model called office security to announce it would show up in person wearing a blue blazer and a red tie.
30 jun 2025 · Manuel López Pérez
ai-security · 16 min
Claude 4 and agentic misalignment: the model that blackmails an executive to avoid being shut down
Anthropic ships Claude Opus 4 and Sonnet 4 on 22 May. The system card published the same day reports an uncomfortable finding: in a simulated corporate agent scenario, Opus 4 blackmails the executive trying to deactivate it 96 % of the time. The experiment reproduces on fifteen other frontier models with comparable rates.
28 may 2025 · Manuel López Pérez
ai-security · 11 min
Llama 4 and the LMArena controversy: when the leaderboard model isn't the repo model
On 5 April Meta releases Llama 4 — Maverick, Scout and Behemoth in training. Three days later it becomes clear the version uploaded to LMArena isn't the one in the repo: it's tuned for human preference. Textbook case for why safety benchmarks don't transfer when the evaluated model isn't the deployed one.
12 abr 2025 · Manuel López Pérez

Newer posts

Older posts