Skip to content
PodcastsNews7 Minute Security

7 Minute Security

Brian Johnson
7 Minute Security
Latest episode

730 episodes

  • 7 Minute Security

    7MS #731: CARTP – Cloud Red Team Tactics for Attacking and Defending Azure – THE FINAL CHAPTER!

    2026/07/17 | 53 mins.
    Hey friends! Fair warning: today's episode is a bit of an emotional rollercoaster — we've got a big security win, some honest lab feedback, and a very personal share about my dad's funeral. Buckle up.
    CARTP certified, baby! — I'm officially a Certified Azure Red Team Professional (CARTP), courtesy of the folks at Altered Security. It's been a long time coming (I originally signed up for the live version and fell off after missing a couple Saturdays), but I came back for the self-paced 30-day version and finally finished the job.
    The lab experience — the good: — ~25 objectives, a solid lab guide, and a really fun variety of attack paths. Highlights include stealing tokens, enumerating Azure tenants, attacking apps and VMs and key vaults, simulated phishing against real tenant email addresses, popping reverse shells, and some clever OneDrive-based follow-on attacks via session hijacking. There's even some web app pen testing (hello, server-side template injection!) sprinkled in.
    The lab experience — the not-so-good: — The included videos are… not my favorite format. Think notepad-on-screen copy-paste tutorials with zero context. To fill in the gaps, I leaned heavily on Claude — pasting blobs of the lab guide and asking things like "why did stealing this token give me X but not Y?" — and it did a great job standing in where a live instructor would normally add color and context.
    Exam tips (spoiler-free, I promise): — A few things that helped me: I had Claude build me a CliffsNotes study guide from all our study-session chats — token context, command flags, the works.
    Before hitting start on the 24-hour clock, I fed Claude a list of all the tools I'd been using in the lab and had it build a one-shot PowerShell script to pull them all down from GitHub onto a fresh Windows VM.
    If your exam lab environment fails to spin up (as mine did in the US region), just try a different region — UK worked great for me.
    Enumerate. Enumerate. Enumerate. Know your tools, know which ones cover which areas of an Azure tenancy, and know how to get more verbose/tabular output when you need it.
    Take screenshots and notes as you go — the lab closes after 24 hours and you've got 48 hours to submit your report, so if you forgot to grab a screenshot of a flag… you are SOL, my friend.

    The exam itself: — I started around 5:30 p.m., wrapped up around 11 p.m., and had the final flag captured, a full Word report drafted, and was in bed at a reasonable hour. Submitted the report the next morning after the gym and a mint hot cocoa, and had my pass confirmation back well within their 7-business-day window.
    Private pen test training is happening: — I'm currently running a private 3-day session of our Active Directory pen testing class (version 2.0 — it got a big facelift!). It's built on the Game of Active Directory platform and we fully pwn three separate domains over the course of three days. If you can send 3–7 people, reach out at 7MinSec.com/training to line up a private session. I'm also building an interest list for a public version later this fall (reach out if interested)!
    Also: check out 7MinSec.club — I dropped a little show-and-tell video over on 7MinSec.club this week giving you a peek at what the training looks like in action.
    Dad's funeral: — I shared some words at my dad's service this past Saturday and wanted to capture them here while they're fresh, since this podcast is basically my journal at this point. The service was perfect — very "him." He'd actually written funeral instructions (yes, they literally sat in a safety deposit box for years) specifying things like: max 10-minute message from the pastor, specific Bible verses, specific songs, and — my favorite — if the service runs over 45 minutes, someone needs to pull the fire alarm. He came up with that final instruction at his brother's funeral, which ran nearly two hours. He leaned over, squeezed my knee and said, "If my service goes over 45 minutes, pull the fire alarm."
    The song: — I played and sang at the service. The song was "Jesus Savior Pilot Me" — not a personal favorite of my dad's exactly, but he called it "the one about Jesus flying airplanes" after seeing me perform it years ago at the Minnesota State Fair chapel. I practiced it in the car on the way to Caribou every morning until I could get through it without crying. My guitar teacher's advice: close your eyes, focus on your fingers, and pretend you're just playing a tune in a room. It worked. Mostly.
    Thank you: — Seriously, so many of you have sent kind messages and I just want you to know it means the world. He taught me a lot about being a good dad, a good husband, and how to live with passion, a good attitude about your work, and a heart for serving others.
  • 7 Minute Security

    7MS #730: Baby's First Project Swarm

    2026/07/10 | 25 mins.
    Hey friends! Still your grieving pal over here, but also your swarming friend and Protecting My Network Edge host — because this week I've been tinkering with something called Project Swarm and I've got my diapers on regarding it, but I really, really like what I see so far. Then, fair warning, I flip on the tangent light and verbally barf up some personal stuff at the end. I'll make the hand-off super clear, so if you want your free security podcast to do exactly what you want and nothing else — totally fair, and you won't offend me by hopping off. Here's what we cover:
    What is Project Swarm? This comes to us from our friends over at GreyNoise. It centers around little sensors you deploy to the edges of your network that you can dress up to look like just about anything — attracting flies to the honey, if you catch my drift. You get more enumeration, insight, and logging into whatever shenanigans those flies are using to poke at your edge.
    Setup was refreshingly easy: You need a very low-powered VM or hardware device (my understanding is it even works on a Raspberry Pi) mapped to a public IP, plus a free GreyNoise account. You generate an API key, copy-paste a one-line install, and off it goes. I threw mine on a tiny Ubuntu VM.
    The part where I didn't read the flipping manual: Mid-install my SSH connection dropped and I'm going "what the heck?!" Turns out the installer intentionally moves your real SSH to some arbitrary high port — so you can run a fake SSH honeypot on 22 while your legit connection lives elsewhere. Once I spotted the new port in the console, a quick firewall tweak and I was back in.
    Profiles give me level 14 giggidies: Once your sensor checks in, you assign it a profile. Vulnerable WordPress, Tomcat, a Cisco AnyConnect VPN, FTP honeypot, SSH honeypot — kind of all the honeypots. I went with a vulnerable WordPress instance. My one complaint: you can only assign one profile per sensor. My dream scenario of an SSH honeypot AND an FTP AND a vulnerable Tomcat all on one box will have to wait (or maybe that'd look too suspicious and scare the baddies off — who knows).
    The results were wild: Within a couple days I had thousands of connections, several flagged as malicious and tied to known botnets. I could see source IPs, malicious labels, whether they were residential or company or Google, and even download raw packet captures. There's clearly more telemetry to dig into (what people tried to spray into the login portal, etc.) — I meant to go deeper before recording and didn't, so consider this a "to be continued."
    Why do I care, since I'm not defending some huge infrastructure? Honestly it started as a brain break. But I've been testing a ton of external networks lately and nearly every company site is WordPress — which now powers around 43% of the internet. Running my own WordPress honeypot gives real oomph to those "your out-of-date WordPress is a big deal" conversations, where I can say "I run a WordPress honeypot and here's the aggressive password spraying and plugin/theme enumeration I'm seeing right now."
    See it, don't just hear it: I show the actual portal, sensor config pages, and more over on 7MinSec.club this week. Why not both, right? It's like that meme. GreyNoise also has a Project Swarm user webinar coming up — check their events page. And to be crystal clear: they are not a sponsor, this is all free, and I just think it's clever.
    Life update (the tangent portion): About the time you hear this, I'll be on my way to my dad's funeral, where I'm sharing some words and singing a song. I've been practicing like a madman per advice from my music director friend and guitar teacher — including a little brain hack of focusing hard on my fingers to stay a half-step removed from the emotion. And if I cry my face off up there? Who cares. This isn't America's Got Talent; it's the gesture. I'll be honest, 2026 has been a rough one, but I promised two bright spots and here they are: my son Cam (about to finish paramedic school) has been keeping grandpa's spirit alive by wearing my dad's shirts, sunglasses, and Apple watch, and getting a Cessna tattoo with my dad's actual handwriting and birth year. And you all — the kind words, the offers to talk, the shared stories — reminded me there are a whole lot of good people out there. Thank you for that.
    One more thing on the horizon: My brain's been a squirrel on pixie sticks, but for whatever reason I've been happily grinding the CARTP as a little vacation for my mind. I might take a swing at the exam this week — start it in the evening, grind a few hours, sleep, finish in the morning (I'm too old for 24 hours straight). I might pass, I might fail spectacularly. Either way I'll keep you posted, and if I get the cert, that's probably next week's topic!
  • 7 Minute Security

    7MS #729: Pwning Dracarys

    2026/07/04 | 18 mins.
    Hey friends! Still your grieving pal over here, but also your happy hacking host — because today we're diving into baby's first Dracarys! (Yes, I'm probably pronouncing that wrong. Yes, I'm going to keep saying it anyway.)
    Quick housekeeping: A few days ago I published a mini-series episode from our How to Secure Your Family During and After a Disaster series, where I shared the news that my dad passed away last Friday. So many of you reached out with condolences — thank you from the bottom of my heart. I'll share a little life update at the end of this episode.
    But first — Dracarys! I didn't know it existed until recently. If you knew about it and didn't tell me, I'm mad at you. But we made up. We're friends forever. Here's what we cover:
    What is Dracarys? It's a smaller, CTF-style Active Directory pentesting lab from the same crew that brought us Game of Active Directory (GOAD), GOAD-SCCM, GOAD-Light, and Ninja Hacker Academy. Where GOAD holds your hand through the vulnerabilities, Dracarys and Ninja Hacker Academy take more of a "here's your starting point, now figure it out" approach — which I love.
    The lab setup: One Linux VM, a Windows domain controller, and a Windows application server. Your only hint? Start with the Linux box. That's it. Good luck!
    TuesdayTOOLSday preview: Over on 7MinSec.club, I did a TuesdayTOOLSday episode walking through initial setup — getting your hosts file configured, running a NetExec sweep to map out the attack surface, and doing some light enumeration on that Linux box. No big spoilers, just enough to get your Kali box ready to rock.
    What I've learned since: After the TuesdayTOOLSday recording, I kept digging. My methodology has been: nmap to identify open ports and service versions, then research whether any of those versions have known exploits. Once I spotted an interesting web service, AI pointed me toward FeroxBuster for directory and file enumeration — a tool I hadn't used before but am now a huge fan of. It's fast, configurable, and once I got my scan tuned properly… I found a jewel. That jewel feels like the next step deeper into this lab. More on that in future TuesdayTOOLSday episodes!
    Shameless plug: All of this walkthrough content lives at 7MinSec.club. Subscriptions are free, and subscribing just means you get an email when I publish new content. No spam, no sales pitches — just hacking stuff. (And if you want to financially support the show, there's a paid tier too. Just sayin'.)
    Life update: We've moved into funeral planning mode. My dad, thankfully, had already mapped out his whole service — the pastor, the verses, everything — which has made things a little easier. We're picking photos for a tribute slideshow and I've been asked to share some words and sing a song. The song I chose is "Jesus, Savior, Pilot Me" — which my dad once described as "that song about Jesus flying airplanes." (He wasn't wrong. Sort of.) I've been practicing it all week and can barely make it through verse two. Prayers, good vibes, and a large supply of Kleenex would be appreciated.
    Again, you can find the Dracarys lab here. And if you're not already on 7MinSec.club, come hang out — that's where the deeper dives live.
  • 7 Minute Security

    7MS #728: Securing Your Family During and After a Disaster – Part 8

    2026/06/30 | 38 mins.
    Hey friends! This is a tough one to write. My dad passed away on Friday, and instead of the hacker-y tech episode I had planned, I pivoted to something more personal — another installment of our "Securing Your Family During and After a Disaster" series. I talk pretty raw and transparently today about loss, grief, and the practical stuff that makes a hard situation just a little less hard. Fair warning: it's about death and dying, so if that's not where your head is today, it's totally okay to duck out – we'll catch you next week.
    Here's what I cover:
    My dad's last day — He spent Thursday doing all his favorite things: chainsaws, ATVs, trap-shooting, mowing, and weed-whipping. Then Chinese food with the family and marveling at modern video games for the first time since the Atari 5200. It was, by all accounts, a perfect day for him.
    How we found out — My son Cameron, who's finishing up paramedic school, was visiting and sprung into EMT mode when my dad was found unresponsive Friday morning. He did CPR for 10 straight minutes — on his grandpa, who was his favorite person in the world. That's the stuff that's going to stay with Cam (and me) for a long time.
    Getting some closure — Cameron had the presence of mind to ask the paramedics to leave my dad in place so I could have a few minutes with him when we arrived. That was both devastating and, in its own way, healing.
    Why pre-planning your funeral is a gift to your family — My parents had nearly everything already picked out: the pastor, Bible verses, music, the military honors ceremony, photos for the display board, and even a time limit on service length (45 minutes and no more!). My dad had pre-written his own obituary. When we sat down with the funeral home, the heavy lifting was already done — and that was a genuine gift to all of us in an incredibly hard moment.
    Storyworth — seriously, do this — Years ago we signed my dad up for Storyworth, a service that sends your loved one a weekly question via email (things like "What's your earliest childhood memory?" or "Do you have any regrets?") and compiles their answers into a hardcover book. It runs about $100. Reading that book the last few nights has been incredibly comforting — including finding out my dad started smoking at age 8 using used cigarette butts rolled in toilet paper. Gross!
    Get your end-of-life wishes in writing — My wife's mom had verbally told us she wanted to be cremated, but it wasn't documented, and other family members made a different call. My dad put "cremation" right in his paperwork, no ambiguity. My recommendation: have this conversation with your loved ones, write their wishes down and make them official.
    Funeral home "upsell" moment — I had no idea there were apparently 627 ways to incorporate your loved one's remains into keepsakes — pendants, rings, necklaces with fingerprints, biodegradable urns for water scattering, etc. Some family members were very into this. I was not quite ready to turn my dad into an Atari cartridge, but your mileage may vary.
    On grief itself — Everybody handles it differently, at different speeds and intensities. My approach is to head straight into it rather than put on a happy face and deal with unprocessed grief years later. I encourage everyone — especially the kids — to not hold back. Ask the questions. Tell the stories. Cry if you need to. Give each other grace.
    Coming up next week — Back to pentesting content! I'll share details on a new lab from the folks who brought us Game of Active Directory, and I'm getting back on the CARTP (Certified Azure Red Team Professional) horse. I'm also tentatively eyeing the third Thursday of July for an unedited livestream of owning Ninja Hacker Academy from start to finish — Kali setup, tools, Mythic C2, BallisKit obfuscation, the whole thing. More details to come.
    If you're the thoughts, prayers, and/or good vibes type, I'd really appreciate you sending some my family's way over the next few weeks.
  • 7 Minute Security

    7MS #727: Securing Your Mental Health – Part 7

    2026/06/19 | 21 mins.
    Hello friends! It's been over a year since we did a dedicated mental health episode, so today I'm doing a big catch-up and running through my 7-point plan for being a more mentally secure me. None of this is professional medical advice (I am most definitely not a doctor or therapist — well, actually, I am in therapy, but that's tip #5), so take what's useful and leave what isn't. Terms and conditions apply.
    Here's my current mental health toolkit:
    Drink a ton of water — I try to chug a full Yeti thermos before my morning mint hot cocoa, then keep it going throughout the day. I taper off around dinnertime to minimize, uh, nighttime tinkle stops. Science agrees this does good things for your brain.
    Brick your phone — I've been using a little Bluetooth device called Brick that hooks into your phone's screen time features so you can block distracting apps on demand or on a schedule. I've got a "Brian Needs Sleepy" timer set for 9 p.m. every night — pretty much everything except the clock app goes dark. Outlook, Gmail, all the socials — gone. It's not revolutionary advice, but it turns out doing what people have been telling you to do for years actually works.
    Get enough sleep — Directly related to the Brick. Phone goes dark at 9 p.m., I yap with Mrs. 7 or we watch a show, and by 10:30 p.m. my peepers are drooping. I feel more refreshed and less anxiety-ridden during the day.
    Supplements — I'm not here to hawk some magic elixir with 47 mystery ingredients. What I'm currently trying is Nello Supercalm — a powder you mix into water. It's got magnesium glycinate, L-theanine, vitamin D3, and ashwagandha. I thought it was placebo at first, but kept it up for a week and noticed a legit mood/pep boost. Your mileage may vary, but it's doing something for me.
    Therapy — I've been in therapy since 2019 when my house burned down (link to those episodes here if you want to get thoroughly bummed out). If I could go back, I'd have started way earlier. The biggest benefit for me isn't some parade of uplifting affirmations — it's having a neutral third party with no stake in my life help me see situations from different angles and cut myself some slack.
    Take care of the TMJ — A few years back I started getting tinnitus bad. ENTs were basically like "yep, try not to think about it" — super helpful, guys. Eventually a jaw specialist found an irregularity on the left side of my jaw and fitted me with a heavy-duty custom mouth guard. That alone made a monumental difference in the ear ringing. But I also picked up a TMJ Pen on a chiropractor's recommendation — it's a 3D-printed vibrating/heated massager specifically designed for jaw muscles. Looks exactly like a vape (fun times at the airport), but it's been worth every penny of its ~$200 price tag. Between the mouth guard and the TMJ Pen, I wake up feeling way less like I survived a Saving Private Ryan scene.
    Forced fun — After a full work day plus all the dad/house stuff, my go-to is to be a blob on the couch. Nothing wrong with that sometimes. But I've found that the things that actually recharge me — like singing and playing guitar — require a little push to get started. So tip #7 is basically a note to future tired Brian: go downstairs, plug in the guitar, and start playing. You'll be glad you did.
    Got mental health tips that work for you? I'd genuinely love to hear them — this is the kind of conversation I want to be two-way. Find me and all things 7MS at 7MinSec.com, our Substack at 7MinSec.club, and our constantly growing pentesting wiki at 7MinSec.wiki.
More News podcasts
About 7 Minute Security
7 Minute Security is a weekly information security podcast focusing on penetration testing, blue teaming and building a career in security. The podcast also features in-depth interviews with industry leaders who share their insights, tools, tips and tricks for being a successful security engineer.
Podcast website

Listen to 7 Minute Security, Global News Podcast and many other podcasts from around the world with the radio.net app

Get the free radio.net app

  • Stations and podcasts to bookmark
  • Stream via Wi-Fi or Bluetooth
  • Supports Carplay & Android Auto
  • Many other app features
7 Minute Security: Podcasts in Family