The Cyber Threat Perspective

We're re-releasing one of our most practical episodes this week — originally published November 2025, and still one of the best roadmap conversations we've had on the show.
Brad and Spencer share no-fluff advice for breaking into cybersecurity, whether you're switching careers, starting from scratch, or leveling up from a general IT role. They cover what employers actually look for, the fastest paths in, and what to skip.
If you're exploring a cybersecurity career, or know someone who is, this one's for you.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

Brad and Spencer break down Google Threat Intelligence Group's latest report on how adversaries are weaponizing AI across the entire attack lifecycle.
The big takeaway isn't that AI has magically replaced attackers, but that it's making certain workflows faster, more scalable, and more repeatable. More importantly, AI platforms, agent skills, integrations, and dependencies are now becoming targets themselves.
Topics covered include:
AI for vulnerability discovery and exploit development: Google's first confirmed case of a zero-day exploit developed entirely with AI, including intentional prompts like "You are currently a network security expert specializing in embedded devices"
Claude skills weaponization: A distilled knowledge base of over 85,000 real-world vulnerability cases integrated into AI research workflows
Automation and scaled research: APT45 sending thousands of repetitive prompts to recursively analyze CVEs and validate proof-of-concept exploits
AI-powered obfuscation techniques: Dynamic modification, evasive payload generation, and decoy logic using Gemini API for just-in-time VBScript obfuscation
Autonomous attack orchestration: Moving beyond content generation into sophisticated malware command automation, including PromptSpy navigating Android UI for persistence
AI-enhanced reconnaissance: Generating detailed organizational hierarchies and third-party relationships for high-value targets in finance, security, and HR departments
Information operations and deepfakes: Taking legitimate journalist videos, editing in fabricated content, and adding AI-generated voiceovers
Attacking AI dependencies: TeamPCP (UNC6780) targeting AI environments as initial access vectors, including March 2026 supply chain attacks on Trivy, Checkmarx, and LiteLLM
The Mini Shai-Hulud worm: May 2026 attacks targeting AI infrastructure and dependencies
Defensive fundamentals: Why inventory, zero trust principles, and behavioral monitoring matter more than ever
Brad and Spencer emphasize that while the threat landscape is evolving rapidly, doubling down on foundational security practices remains the most effective defense strategy.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 180, hosts Brad Causey and Spencer Alessi tackle a critical but often overlooked issue in cybersecurity: the echo chambers that can undermine critical thinking and effective security programs.
Inspired by recent experiences at the ILTA Evolve conference, Spencer and Brad explore how cybersecurity professionals, from practitioners to executives, can fall into bubbles where everyone reinforces the same ideas without questioning underlying assumptions.
Topics covered include:
What cybersecurity echo chambers look like: conferences where everyone "reaffirms what they already knew" instead of challenging assumptions
The AI hype cycle as a prime example: why the industry's multi-million-dollar conferences around "the new thing" miss the point that fundamental security principles still apply
Social media's role in amplifying bias: how anecdotes from single engagements get generalized into "every organization is terrible at X" without considering nuance
Conference culture and groupthink: when entire events operate in lockstep without anyone asking critical questions
The danger of not having your own opinion: how IT and security leaders without formed opinions become vulnerable to the best sales pitch rather than the best solution
Vendor influence on thought leadership: understanding financial and emotional motivations behind industry messaging
Strategies to combat echo chambers: doing your own research, questioning everything, admitting when you don't know something
The power of diverse perspectives: why opinions from people outside your expertise can be the most valuable
Acknowledging bias and being wrong: how intellectual humility breaks down echo chambers
Building a network of trusted advisors: asking people you trust what they think, even if they're not domain experts
While technical skills are crucial, nothing ruins a cybersecurity organization like bad culture, and echo chambers are a subcategory of that cultural problem. Whether you're navigating conferences, evaluating vendors, or building your security program, this episode offers practical guidance for maintaining critical thinking in an industry that can be driven more by hype than substance.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025.
Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.
Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.
Topics covered include:
What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL
OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/ 
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 178 of the Cyber Threat Perspective podcast, hosts Spencer and Tyler take a practitioner-first look at the internal security controls that genuinely make attackers' lives difficult, drawing directly from their experience conducting hundreds of internal penetration tests every year.
This isn't a vendor comparison or a theoretical framework. It's an honest account of what works, what gets misconfigured, and what separates organizations that slow attackers down from those that don't.
Topics covered include:
Application Control — ThreatLocker and Magic Sword — why app control is probably the single most effective endpoint control against attackers, how the learning period works, why jumping straight to enforcement mode is a mistake, and why executive buy-in is as critical as the technical implementation
WDAC vs. traditional App Locker — the differences, what closed-book enforcement actually means for attackers, and the two schools of thought on allow-list vs. block-list approaches
Strong identity controls — MFA beyond RDP including SMB, WinRM, and HTTP via products like Silverfort, why push notification MFA falls short, and why number matching matters
Protected Users Group — one of the most powerful and underused Active Directory controls, with a real-world story of how it nearly matched a full third-party identity product in effectiveness during a law firm pen test
Least privilege and admin tiering — why Help Desk is one of the most targeted groups for social engineering, how over-permissioned service accounts hand attackers domain admin in minutes, and the real cost of control path vulnerabilities
Network segmentation and zero trust — why domain controllers don't need internet access, how segmentation limits attacker recon, and where products like Zscaler fit in
EDR baselining and UEBA — why plugging in an EDR tool and expecting it to work isn't enough, the case for getting back to behavior-based detection, and why catching recon activity matters more than catching execution
Deception — honeypots, canaries, and fake assets — why deception is underrated, why high-fidelity low-false-positive alerts change the game, and what it actually feels like as a pen tester to trip on a well-placed decoy without knowing it
Also mentioned: Spencer and Brad's Tools of the Trade workshop at ILTA Evolve — Denver, end of April.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.