Blog

April 6, 2026

AWS Security Agent Is GA. What It Does and Doesn't Do.

AWS launched its autonomous penetration testing agent. It finds XSS, SQLi, and application-layer vulnerabilities. It doesn't map your IAM blast radius. These are two different problems, and your environment probably has both.

iamblast-radiusaws-securitycomparison

April 3, 2026

AWS Credential Theft Has Been Industrialized

766 hosts compromised. 196 sets of AWS credentials stolen. One operator with a search engine for your secrets. The UAT-10608 campaign isn't an outlier. It's the new baseline for how attackers harvest cloud credentials at scale.

blast-radiuscredential-accessiamsupply-chain

March 30, 2026

The Credentials That Live Outside AWS Are the Ones That Get Stolen

TeamPCP didn't attack AWS to steal AWS credentials. They compromised a CI pipeline and waited for the credentials to come to them. The campaign that hit Trivy, LiteLLM, and Checkmarx in 8 days reveals something important about where your AWS keys actually rest.

blast-radiussupply-chaincredential-accesslateral-movement

March 26, 2026

AWS Keeps Breaking Its Own Trust Boundaries

We read every AWS security bulletin from the last six months. The recurring theme isn't buffer overflows or cryptographic flaws. It's trust boundary failures that turn minor permissions into full privilege escalation.

blast-radiusiamprivilege-escalationlateral-movement

March 16, 2026

93 HackerOne Reports Show the Same AWS Blast Radius Problem

We analyzed 1,169 AWS-related HackerOne reports. The dominant pattern: SSRF or leaked credentials become full infrastructure access because nobody measured the blast radius of the compromised identity.

blast-radiusssrfiamcredential-exposure

March 14, 2026

AWS Finally Gave S3 Buckets Their Own Rooms

For years, predictable S3 bucket names let attackers squat resources and hijack AWS services. Account-regional namespaces, launched March 2026, eliminate the entire attack class. Here's what changed and what you need to do.

s3iamsupply-chainshadow-resources

March 9, 2026

What the LexisNexis Breach Teaches Us About Blast Radius in AWS

A single ECS task role with read access to every secret in the account. The LexisNexis breach is a textbook case of why blast radius validation matters.

blast-radiusiamsecrets-managerbreach-analysis

March 7, 2026

The Capital One Breach, Seven Years Later: The Blast Radius Problem That Won't Go Away

In 2019, a single SSRF vulnerability turned into 106 million stolen records. AWS shipped IMDSv2. Seven years later, half of EC2 instances still don't enforce it, and attackers have industrialized the technique.

blast-radiusssrfiamimdsbreach-analysis