David Bombal

In this episode, David Bombal sits down with vulnerability researcher Vladimir Tokarev (with Dawid on the interview) to show what AI-assisted vulnerability research looks like when it actually works.

Vladimir walks through two real vulnerability case studies and uses them to explain a practical workflow for finding bugs faster with LLMs, without pretending the AI is “fully autonomous.”

Demo 1: Gemini CLI command injection
Vladimir demonstrates a command injection issue in Gemini CLI tied to the IDE / VS Code extension install flow. He shows how a malicious VSIX file name or path can be crafted so that when the install command is executed, the system ends up running an attacker-controlled command (the demo uses a harmless calculator launch to prove execution). The conversation then breaks down what a VSIX is, what the realistic attack paths are (user tricked into installing a malicious extension or placing it in the right directory), and why this class of bug matters for endpoints running local AI agents.

Demo 2: VirtualBox integer overflow and VM escape class impact
Next, Vladimir switches to a VirtualBox vulnerability involving an integer overflow that can lead to out-of-bounds read/write in the host process. Because of architecture constraints, he shows the exploit behavior via a recorded clip, then explains the bug using source code. The key teaching moment is the mismatch between 32-bit arithmetic used in bounds checking and 64-bit pointer arithmetic used during the actual memory move, creating a pathway to bypass checks and copy memory outside the intended buffer.
Vladimir also explains why having both read and write primitives is powerful for exploitation, and how modern mitigations make “blind” exploitation unrealistic without memory disclosure.

How the bugs were found with AI
Vladimir then explains the workflow he uses in real engagements:
• Run static analysis to generate leads at scale
• Use an LLM to triage and filter out noise
• Validate the remaining findings by tracing code paths and checking exploitability
• Use AI again to accelerate setup, debugging, reverse engineering, and iteration

He shares a key insight: the win is not “AI finds everything for you,” it is that AI helps you spend your time on the hardest parts—validation, exploit logic, and decision-making—instead of drowning in thousands (or millions) of findings.

Why there is no fully autonomous vuln-research agent yet
Finally, Vladimir lays out four practical blockers:
1. Depth reasoning (long multi-step exploit chains)
2. Context limits (missing system-level constraints and assumptions)
3. Learning from failure (repeating bad leads)
4. Exploration (poor goal-driven search without strong reinforcement learning)

// Vladimir Tokarev’s SOCIAL //
X: https://x.com/G1ND1L4
LinkedIn: / vladimir-eliezer-tokarev

// Dawid van Straaten’s SOCIAL //
LinkedIn: / dawid-van-straaten-31a3742b
X: https://x.com/nullaxiom?s=21

// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...

Disclaimer: This video is for educational purposes only.

Are your smart home devices spying on you? In this video, David Bombal interviews cybersecurity researcher and IoT penetration tester, Matt Brown, to reveal how to intercept and decrypt supposedly secure SSL/TLS traffic from IoT devices.

Matt demonstrates his open-source tool, "Man in the Middle Router," a specialized Linux-based bash script designed to simplify IoT hardware hacking labs. This tool stitches together essential Linux utilities—including HostAPD (for access points), DNSmasq (for DHCP), and iptables (for traffic routing)—to transform any Linux computer or Raspberry Pi into a transparent intercepting router. In this technical deep-dive, you will learn: How a Man in the Middle (MITM) attack intercepts encrypted TLS (HTTPS) communications.

How to set up an IoT penetration testing lab using minimal hardware, such as an Alpha Wi-Fi adapter and an Ethernet dongle. The difference between theoretical attacks and real-world vulnerabilities like the failure of IoT devices to validate server certificates. Transparent proxy setup using tools like mitmproxy to visualize raw API data.

Live Hacking Demonstration Matt moves beyond theory to demonstrate a live hack of an Anran Wi-Fi security camera purchased from eBay. He shows the exact process of capturing and decrypting the camera's API traffic (apis.us-west.cloudedge360.com). This demonstration exposes that the device is transmitting sensitive information—including authentication credentials—in cleartext over HTTP inside the broken TLS tunnel.

Whether you are a network engineer, network security analyst, or a hardware hacking enthusiast, this video provides a step-by-step framework for auditing the security and privacy of the devices on your network.

// Matt Brown’s SOCIAL //
X: https://x.com/nmatt0
YouTube: / @mattbrwn
LinkedIn: / mattbrwn
GitHub: https://github.com/nmatt0
Reddit: https://github.com/nmatt0
Website (with training courses): https://training.brownfinesecurity.com/

// GitHub REFERENCE //
mitmrouter: https://github.com/nmatt0/mitmrouter

// Camera REFERECE //
https://www.amazon.com/ANRAN-Security...

// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...

// MY STUFF //
https://www.amazon.com/shop/davidbombal

// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: [email protected]

// MENU //
0:00 - Coming Up
0:33 - Introduction
02:33 - Matt’s Solution for IoT Devices
05:38 - Getting around SSL Pining / Certificate Validation
08:55 - Demo - The Basics
12:00 - Demo - Man In The Middle Router Tool
15:00 - Demo - Software/Hardware Considerations
20:12 - Demo - MITM Proxy
24:43 - Demo - MITM Router
33:58 - Example Using a Real IoT Device
36:33 - David’s Questions
37:50 - More About Matt Brown
38:41 - Android Vs Apple
40:33 - Outro

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Disclaimer: This video is for educational purposes only.
#iot #hacking #iothacking

Learn Splunk basics with James Hodge in this introductory tutorial. We dive into SPL, analyzing Linux logs, and a powerful AI Canvas demo for network troubleshooting.

Big thanks to Cisco for sponsoring this video and sponsoring my trip to Cisco Live Amsterdam 2026.

// James Hodge’s SOCIAL //
LinkedIn: / jameshodge

/ David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...

// MY STUFF //
https://www.amazon.com/shop/davidbombal

// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: [email protected]

// MENU //
0:00 - Coming up
0:47 - James' background
01:36 - Splunk basics // What is Splunk?
04:17 - Splunk demo
07:35 - How Splunk analyses the data
10:13 - Bringing in raw data
12:22 - Splunk demo continued
21:38 - Dark Mode funny story
22:25 - Splunk demo continued
24:12 - The toilet story
27:56 - Modern Splunk dashboard demo
30:45 - AI Canvas demo
34:53 - Conclusion

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Disclaimer: This video is for educational purposes only.
#splunk #cisco #ciscolive

Big thanks to Brilliant for sponsoring this video. To try everything Brilliant has to offer, visit https://brilliant.org/davidbombal to start your 30-day free trial or scan the QR code onscreen – You’ll also get 20% off an annual premium subscription

Join hacker OTW and David Bombal as they rank the top 6 AI movies that
predicted the future of cybersecurity. From Ex Machina to The Matrix, discover which films got 2026 right.

In this video, OTW breaks down his curated list of the best Artificial Intelligence movies that every tech enthusiast and cybersecurity professional needs to watch. We aren't just reviewing films; we are analyzing how sci-fi predictions from decades ago are becoming
reality in 2026. We discuss the dangers of removing AI guardrails as seen in
Companion, the terrifying reality of predictive policing and surveillance mirrored in Minority Report, and the ethical dilemmas of AI consciousness explored in Her and Ex Machina. OTW also dives into 2001: A Space Odyssey
and The Matrix to discuss Neuralink, data center energy consumption, and the risks of AI self-preservation.

Are we heading toward a dystopian future, or can we still implement the right
regulations?

// Occupy The Web SOCIAL //
X: / three_cube
Website: https://hackers-arise.net/

// Occupy The Web Books //
Linux Basics for Hackers 2nd Ed
US: https://amzn.to/3TscpxY
UK: https://amzn.to/45XaF7j

Linux Basics for Hackers:
US: https://amzn.to/3wqukgC
UK: https://amzn.to/43PHFev

Getting Started Becoming a Master Hacker
US: https://amzn.to/4bmGqX2
UK: https://amzn.to/43JG2iA

Network Basics for hackers:
US: https://amzn.to/3yeYVyb
UK: https://amzn.to/4aInbGK

// OTW Discount //
Use the code BOMBAL to get a 20% discount off anything from OTW's website: https://hackers-arise.net/

// Playlists REFERENCE //
Linux Basics for Hackers: • Linux for Hackers Tutorial (And Free Courses)
Mr Robot: • Hack like Mr Robot // WiFi, Bluetooth and ...
Hackers Arise / Occupy the Web Hacks: • Hacking Tools (with demos) that you need t...

/ David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...

// MY STUFF //
https://www.amazon.com/shop/davidbombal

// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: [email protected]

// MENU //
0:00 - Coming up
0:47 - OTW introduction // OTW books
02:02 - Brilliant sponsored segment
04:08 - AI in Hollywood and media
08:06 - Top 6 movies about AI
11:29 - Movie #6 // Guardrails on AI
19:27 - Movie #5 // AI-controlled media
27:35 - Movie #4 // AI crime detection
39:38 - Movie #3 // AI self-preservation
48:55 - Movie #2 // Human & AI relationships
55:23 - Movie #1 // AI Turing test
01:04:57 - Top 6 AI movies summary
01:11:02 - Conclusion

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Disclaimer: This video is for educational purposes only.
#ai #movies #aimovies

Big thank you to Infoblox for sponsoring this video. For more information on Infoblox have a look at their website: https://www.infoblox.com/

// Get Wireshark Certified //
Check out the official training course
📘 GET TRAINING:
https://courses.davidbombal.com/l/pdp...
Use code "WiresharkHack" to get a $50 discount
🔗 Learn more: https://wireshark.org/certifications

In this deep dive, David Bombal is joined by Wireshark expert Chris Greer to
strip down the most critical protocol on the internet: DNS. We move beyond the
theory to show you exactly what DNS looks like "on the wire." Chris reveals why a staggering 92% of malware uses DNS for Command and Control (C2) and how you can use packet analysis to detect these breaches before they spread. We also debunk common myths about DNS only using UDP, explore the "Librarian" analogy for Root Servers, and walk through a live capture of a request to a real website.

What You Will Learn:
•Malware Detection: Why 92% of malware relies on DNS and how to spot C2 traffic.
• Packet Anatomy: A line-by-line breakdown of DNS headers, Transaction IDs, and Flags in Wireshark.
• The TCP Myth: Why blocking TCP port 53 on your firewall can break yournetwork (and why DNS needs it).
• Troubleshooting: How to measure DNS latency (response time) to pinpoint
slow network performance.
• Recursive Lookups: Understanding the chain from your PC to the Root Servers and back.

// Chris Greer’s SOCIAL //
YouTube: / chrisgreer
Official WCA training: https://courses.davidbombal.com/l/pdp...
Use code "WiresharkHack" to get a $50 discount
LinkedIn: / cgreer
Website: https://packetpioneer.com/

// Download Wireshark pcaps from here //
https://github.com/packetpioneer/yout...
https://github.com/packetpioneer/yout...
https://www.wireshark.org/certificati...
https://packetschool.teachable.com/

// WCA Course REFERENCE//
Official WCA training: https://courses.davidbombal.com/l/pdp...
Use code "WiresharkHack" to get a $50 discount

// Chris’ DNS Series on YouTube ‘’
• Your First DNS Lookup—Captured and Explained

// Link to YouTube VIDEO:
• Video

// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...

// MY STUFF //
https://www.amazon.com/shop/davidbombal

// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: [email protected]

// MENU //
0:00 - Coming up
0:52 - More Wireshark! // It's always DNS
02:45 - Infoblox sponsored segment
03:37 - DNS basics in Wireshark // How DNS works
06:52 - Analysing the DNS packet capture
08:32 - Destination address explained
10:09 - Transaction ID explained
11:13 - Flags explained
13:26 - Questions, Answer RRs & Additional RRs explained
15:39 - Additional records explained
17:07 - Response walkthrough
19:24 - Real DNS packet capture walkthrough
21:17 - Quick Wireshark tip
22:32 - Walkthrough continued
25:55 - Going deeper // How DNS resolver works
32:41 - More on Chris Greer YouTube channel and more to come
35:36 - Conclusion

Please note that links listed may be affiliate links and provide me with a small percentage
/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!

Disclaimer: This video is for educational purposes only.
#dns #infoblox #wireshark