The signal-to-noise ratio in #Infosec feels like it’s hitting an all-time low. Between marketing hype and the fragmentation of social platforms, keeping up with the threat landscape without burning out is a challenge.

We got tired of the noise, so we polled our own red team and engineers: "What are the newsletters you actually open and read every week?"

We compiled the answers into a curated list. No fluff, no vendor spam—just the resources that help with deep-dive exploit analysis and industry shifts.

Check the list here: https://pentest-tools.com/blog/ethical-hacking-newsletters

What are we missing? If you have a niche RSS feed or newsletter that keeps you sane, drop it in the replies. 👇

#EthicalHacking #OffensiveSecurity #CyberSecurity #RedTeam #Pentesting #Newsletters

2025 was a gauntlet. 🥊

Scope creep. 3 AM terminal stares. WAFs that felt personal. It’s easy to focus on the workload. Let's talk about the fuel.

That split second the shell popped? Or the moment a critical finding finally "clicked" for the client?

We stay because the highs are worth the lows.

When you were ready to log off this year, what specific thing kept you in the fight?

Vote 👇 and drop your "War story of the year" in the comments.

We haven't seen a CVSS 10.0 this scary since #Log4Shell. 🚨
So we launched the exploit and here is the proof. 👇👇👇

Everyone talks about detecting #React2Shell (CVE-2025-55182). But detection can only take you so far.

To *truly* know if you are exposed to this CVSS 10.0 RCE, you need to validate it.

So we launched the exploit.

We updated our offensive security suite to safely execute the full attack chain against your infrastructure.

Here is how you validate your risk in seconds (see the evidence below 👇):

🚀 Validate directly with Sniper: Auto-Exploiter

Action: Launch Sniper: Auto-Exploiter on the target.

Result: The smoking gun. It executes the payload and confirms RCE.

Proof: As you can see from the report highlights, it achieves code execution as user Next.js and captures full command history.

This isn't a simulation. It's a confirmed RCE path on a Linux target running Next.js.

Why this matters: Standard scanners might flag your safe apps as vulnerable (FPs) or miss modified instances (false negatives). Validation removes the doubt.

Don't guess. Exploit it (safely) before they do.

Run the validation now https://pentest-tools.com/exploit-helpers/sniper

While offensive security automation gives you data, accreditation gives you a good night’s sleep. 😴

Especially with #NIS2 reshaping the landscape.

Update: Pentest-Tools.com has been officially re-accredited by the DNSC (Romanian National Cyber Security Directorate) as a cybersecurity auditor through 2028.

We build the tech, and we’re certified to audit the results. 🛡️

Security isn’t about the PDF. It’s about the trust that goes into it.

#InfoSec #CyberSecurity #Compliance #Romania

📊 39% of cloud environments are vulnerable to React2Shell.

New data from Wiz indicates that nearly 40% of cloud environments contain instances vulnerable to CVE-2025-55182. Even more concerning? 44% of all cloud environments have publicly exposed Next.js instances.

The "secure by design" assumption is working against defenders right now.

✅ Detection is LIVE.

We have updated the Network Vulnerability Scanner in Pentest-Tools.com to help you validate this specific configuration immediately.

As shown in the attached video, you can go from "exposed" to "confirmed" in seconds:

1. Select the Network Scanner

2. Input CVE-2025-55182

3. Get definitive proof with Request/Response evidence

Don't rely on version checks when the exposure surface is this wide.

🔗 Run the detection: https://pentest-tools.com/network-vulnerability-scanning/network-security-scanner-online

📜 Vulnerability breakdown: https://pentest-tools.com/vulnerabilities-exploits/react-server-components-remote-code-execution_28260

📈 Data source: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

#AppSec #ReactJS #CloudSecurity #React2Shell #InfoSec #VulnerabilityManagement #NextJS

Your private AWS VPC isn’t as safe as you think. ☁️🔓

We just released the full recording of our live workshop from Infosecurity Europe 2025.

In this session, our CEO Adrian Furtună and Product Manager Dragoş Sandu bypass the "safety" of a private network to compromise a mock healthcare infrastructure ("SynaptiCare") live on stage.

The attack chain:

1️⃣ Tunneling: Using a VPN Agent to breach the private IP range.
2️⃣ RCE: Escaping a Redis sandbox to get root access.
3️⃣ Exfiltration: Bypassing Next.js auth to dump .env keys.
4️⃣ Compliance: Automating the fix for SOC 2 evidence.

It’s a practical look at automating vulnerability validation behind firewalls.

📺 Watch the full demo here: https://pentest-tools.com/events/infosecurity-europe-2025

#Infosec #RedTeam #CloudSecurity #Pentesting #SOC2 #AWS #InfosecurityEurope

You can learn a new tool in an afternoon. Building an adversarial mindset takes a lifetime. 🧠

We asked the #InfoSec community which books actually shaped their careers. If you're looking for a deep dive this winter, start with these essentials:

📕 The Web Application Hacker's Handbook (The foundational "why") 📘 Red Team Development and Operations (Strategy over tactics) 📗 Social Engineering: The Science of Human Hacking (The human element)

Get the full curated list of 70+ titles here: https://pentest-tools.com/blog/hacking-books-recommendations

What’s the one book you recommend to every junior pentester?

#ethicalhacking #redteam #books #cybersecurity #learning

While folks are still recovering from Thanksgiving, our engineering team has been shipping new detection and exploitation modules.

If you're looking to cut noise and prove impact, here is what landed in Pentest-Tools.com this November:

Sniper: 3 new RCE modules (Oracle EBS, React Native Community CLI, WordPress Simple File List).

Network Scanner: Detection for ASP.NET Core request smuggling.

Web Scanner: Smarter SQLi testing logic.

Watch the full rundown here: https://www.youtube.com/watch?v=xQsT_f0jd9E

Full changelog: https://pentest-tools.com/change-log

#cybersecurity #vulnerabilitymanagement #offensivesecurity #infosec #devsecops

Security isn't one-size-fits-all. Neither is your workflow.

We know that "doing security" looks different depending on your seat at the table. That's why we've organized our platform to solve the specific friction points you face daily:

🏢 Internal Teams: Automate routine scanning and stop drowning in noise. 🤝 MSPs: Scale service delivery and manage multiple clients in one place. 🕵️‍♂️ Consultants: Validate findings faster and deliver reports backed by proof-of-exploit.

Find the workflow that fits your reality: https://pentest-tools.com/solutions

#infosec #vulnerabilitymanagement #redteam #blueteam #msp

If you're clicking "Start Scan" manually every time, you're doing it wrong. 🖱️❌

Scaling security operations isn't about hiring more analysts—it's about scripting the repetitive work so you can focus on the complex stuff.

With the Pentest-Tools.com REST API, you can treat security like code:

🚀 DevSecOps: Trigger scans automatically in CI/CD (GitHub Actions, Jenkins) before deploy.
📊 Dashboards: Pull findings via JSON directly into your internal tools.
🔁 Bulk Ops: Launch assessments against 1,000+ targets with a single script.

Make security a function, not a bottleneck.

Docs & Details: https://pentest-tools.com/features/api

#DevSecOps #Infosec #Automation #Python #API #BlueTeam

"Zero trust" is a great architecture, but a terrible relationship strategy. 📉

What is your #1 strategy for building trust with a new client?

Read the full list of 8 strategies here: https://pentest-tools.com/blog/building-trust-ethical-hacking

Vulnerability assessment tools are everywhere. Accurate results are not.

Scanners produce noise, not proof. This leaves teams chasing false positives and delivering reports that fail to earn confidence.

Our new white paper explores the anatomy of accuracy:
🔹 Proof: Verifiable evidence (screenshots, traces)
🔹 Reproducibility: Consistent results
🔹 Context: Real-world exploitability (EPSS)
🔹 Clarity: Actionable findings

Stop chasing noise. Start validating risk.

Read the full white paper: https://pentest-tools.com/usage/accuracy

#vulnerabilitymanagement #infosec #offensivesecurity #ciso

A scan today doesn’t protect you from the CVE released tomorrow.

The gap between your quarterly pentests is exactly where attackers thrive. They don’t wait for your schedule, and your defense shouldn't either.

Vulnerability monitoring turns your security from a snapshot into a continuous process.

With Pentest-Tools.com, you can:

🔄 Schedule recurring scans: Daily, weekly, or monthly. Set it and forget it.
🔔 Get notified instantly: Receive alerts via email, Slack, or Webhooks the moment a new risk is detected.
📈 Track your evolution: See how your security posture changes over time.

Stop treating security like a static event.

Start monitoring your attack surface here: https://pentest-tools.com/features/vulnerability-monitoring

#vulnerabilitymanagement #offensivesecurity #infosec #automation

🧐 What happens when AI builds your app, but a human insists on breaking it? That’s what we explored in our live session with Razvan-Costin IONESCU - "How attackers think (and why it’s still the best way to test AI products)".

Big thanks to everyone who joined and asked tough questions. You know we don't shy away from it!

🫣 It’s always good to talk shop with people who care about what’s actually exploitable, not just what looks risky on paper.

See how AI-built apps still fall to logic flaws, insecure integrations, and assumptions no scanner can flag.

If you missed it, you can now watch the full recording 👇

Get the full experience at: https://pentest-tools.com/webinars/how-attackers-think

DefCamp 2025, you were so awesome! ⚡️

Another year, another incredible edition in the books. We are so proud to have been part of this event once again and to see the community showing up in full force in Bucharest.

Huge kudos to the organizers for pulling off such a great gathering. It was a blast seeing so many familiar faces and meeting so many new people who share our passion for breaking things (for the right reasons).

A few highlights from our team:

🎤 The talks: It was a big year for our research team on stage!

Our Founder & CEO, Adrian Furtuna, explored how LLMs are changing the game in "VIBE Pentesting" (enhancing the human hacker, not replacing them!).

Our Offensive Security Research Lead, Matei "CVE Jesus" Bădănoiu, took us deep into the "Nightmare Factory," breaking down the process behind the 15 fresh 0-days the team found this year.

📺 Missed them live? Don't worry, we'll be sharing the recordings on our YouTube channel soon, so keep an eye out!

👕 The swag: We knew our new merch was cool, but that line?! Seeing so many of you waiting to grab a Pentest-Tools.com T-shirt was a massive compliment. We hope you wear them while you hunt your next bug.

We’re already looking forward to the next one!

#DefCamp2025 #OffensiveSecurity #InfosecCommunity #Cybersecurity #Pentesting

MS(S)Ps, how do you stay on top of it all?

When every client has a different stack, timeline, and preferred reporting format, vuln management can get super messy.

We want to hear how you keep things clean (or at least try to 😉):

How do you keep vulnerability workflows clean across clients?

Last chance to join tomorrow’s live session!

Attackers don’t care what built your app. They care how it breaks.

In this webinar, you’ll learn:
💡 Why logic flaws and insecure assumptions still drive critical risks in AI-heavy stacks
⚙️ Where human reasoning fills the gaps scanners and code reviewers miss
📘 How to use attacker workflows alongside AI tools to test faster and smarter

You’ll also get an actionable follow-up asset to help you apply these ideas in your own testing and client work.

Because even when AI changes how we build, the best way to secure what we create is still to think like someone trying to break it.

🗓️ Webinar registration link: https://pentest-tools.com/webinars/how-attackers-think

🚨 Old vuln, fresh damage - attackers hit Oracle EBS again.

Cl0p just listed nearly 30 new victims, from major companies to universities.
They use CVE-2025-61882, a pre-auth RCE in Oracle E-Business Suite (12.2.3 → 12.2.14) with a CVSS ≈ 9.8.

It’s already on CISA’s KEV list and spreading fast.

Here’s what most security teams face:
🚩 Patching doesn’t prove you’re safe.
🚩 Banner scans miss real exposure.
🚩 You need proof of exploitability, not assumptions.

Use Pentest-Tools.com to stay ahead:
✅ Detect Oracle EBS servers exposed to this RCE with the Network Scanner.
✅ Recreate the attack safely in Sniper: Auto-Exploiter to confirm impact.
✅ Verify your fixes and make sure no asset stays vulnerable.

No noise. No guesswork. Just proof.
Old vulns still do new damage - if you let them.

🔎 CVE-2025-61882 specs: https://pentest-tools.com/vulnerabilities-exploits/oracle-e-business-suite-remote-code-execution_28103
🗞️ Read the news: https://www.securityweek.com/nearly-30-alleged-victims-of-oracle-ebs-hack-named-on-cl0p-ransomware-site/

#infosec #cybersecurity #offensivesecurity #ransomware #incidentresponse

✍️ Before AI could write code, Razvan-Costin IONESCU was already breaking it.

As Head of Offensive Security Services at Pentest-Tools.com, Razvan leads high-impact pentests that turn complex vulnerabilities into clear, actionable guidance teams can actually use.

🪪 He’s also GSE-certified (#298)! One of the few professionals worldwide to earn this advanced credential. It’s proof of deep, practical expertise built through real-world exploitation, analysis, and problem-solving.

In our next webinar, he’ll share why the pentester mindset hasn’t changed, even as AI reshapes the surface of security, and how to apply that mindset to modern testing workflows.

📅 Join Razvan live on November 19! Sign up below ⬇️

🗓️ Webinar: How attackers think (and why it’s still the best way to test AI products)
🔗 Fill in the form to book your spot: https://pentest-tools.com/webinars/how-attackers-think

#vulnerabilityassessment #informationsecurity #cybersecurity #pentesting

🔐 The riskiest vulnerabilities live behind the login - and most scanners don’t go there. Howeverrrrr...

Attackers don’t stop at the login screen.

🏴‍☠️ They target what’s behind it: broken access controls, IDORs, insecure password policies, and privilege escalation paths.

If your web app assessments don’t follow real user journeys, you’re missing what actually matters.

Authenticated scanning is a particular area of focus for us because we want to make sure you can:

✅ Simulate real logins (headers, tokens, or credentials)
✅ Test session handling and authenticated flows
✅ Detect vulnerabilities in the pages users actually access

Wanna know how we do it? 🧰 See how it works: https://pentest-tools.com/features/authenticated-web-app-scanning