The Cyber Threat Perspective

In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025.
Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.
Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.
Topics covered include:
What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL
OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/ 
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 178 of the Cyber Threat Perspective podcast, hosts Spencer and Tyler take a practitioner-first look at the internal security controls that genuinely make attackers' lives difficult, drawing directly from their experience conducting hundreds of internal penetration tests every year.
This isn't a vendor comparison or a theoretical framework. It's an honest account of what works, what gets misconfigured, and what separates organizations that slow attackers down from those that don't.
Topics covered include:
Application Control — ThreatLocker and Magic Sword — why app control is probably the single most effective endpoint control against attackers, how the learning period works, why jumping straight to enforcement mode is a mistake, and why executive buy-in is as critical as the technical implementation
WDAC vs. traditional App Locker — the differences, what closed-book enforcement actually means for attackers, and the two schools of thought on allow-list vs. block-list approaches
Strong identity controls — MFA beyond RDP including SMB, WinRM, and HTTP via products like Silverfort, why push notification MFA falls short, and why number matching matters
Protected Users Group — one of the most powerful and underused Active Directory controls, with a real-world story of how it nearly matched a full third-party identity product in effectiveness during a law firm pen test
Least privilege and admin tiering — why Help Desk is one of the most targeted groups for social engineering, how over-permissioned service accounts hand attackers domain admin in minutes, and the real cost of control path vulnerabilities
Network segmentation and zero trust — why domain controllers don't need internet access, how segmentation limits attacker recon, and where products like Zscaler fit in
EDR baselining and UEBA — why plugging in an EDR tool and expecting it to work isn't enough, the case for getting back to behavior-based detection, and why catching recon activity matters more than catching execution
Deception — honeypots, canaries, and fake assets — why deception is underrated, why high-fidelity low-false-positive alerts change the game, and what it actually feels like as a pen tester to trip on a well-placed decoy without knowing it
Also mentioned: Spencer and Brad's Tools of the Trade workshop at ILTA Evolve — Denver, end of April.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 177 of the Cyber Threat Perspective podcast, host Brad Causey and virtual CISO Daniel Perkins take a clear-eyed look at Claude Mythos — Anthropic's AI model that's generating serious buzz in the cybersecurity world for its ability to analyze source code, identify vulnerabilities at scale, build working exploits, and surface flaws that have sat undetected for decades.
The cybersecurity community is reacting. Brad and Daniel think a more measured response is warranted.
This episode breaks down what Mythos actually is, what it actually did, and what it actually means for your security program — without the hype or the hand-waving.
Topics covered include:
What Mythos really is — a purpose-built code analysis model, not a hacker-in-a-box or AI overlord, and why that distinction matters
The BSD vulnerability reality check — it cost $20,000 to find a 20-year-old DOS flaw in software almost nobody uses, and what that tells us about the real-world economics of AI-driven vulnerability discovery
Speed, not net-new — why Mythos hasn't introduced anything fundamentally new to the threat landscape, just compressed the timeline dramatically
Vulnerability chaining — how Mythos could change triage by identifying how low and medium severity CVEs combine into critical attack paths
The vibe coding problem — why organizations that have never written code before are now writing a lot of it, and why that's where Mythos becomes genuinely important
What this means for pen testing — why AI finding code flaws doesn't replace the human-driven validation of security programs, business logic testing, and misconfiguration discovery
The shift to continuous vulnerability management — why monthly or quarterly scanning cycles won't be sufficient once Mythos capabilities proliferate, and how to make the move to continuous without going big bang
The Mythos-Ready framework — a look at the CSA guidance document, what's useful, what needs to be scaled to your organization, and why inventory and attack surface should come before governance for most teams
Supply chain and third-party risk — how Mythos changes the questions you should be asking your software vendors
The bottom line from Brad and Daniel: be responsive, not reactive. Tighten your patching SLAs, understand your attack surface, document your decisions, and execute the fundamentals well. The organizations that do that won't be caught flat-footed when this becomes mainstream.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 176 of the Cyber Threat Perspective podcast, Brad and Spencer break down some of the most repeated cybersecurity best practices in the industry and explain why, despite sounding solid on paper, they consistently fall short in real IT environments.
This isn't about dismissing good security principles. It's about closing the gap between advice that looks great in a framework and controls that actually hold up against how attackers operate.
Topics covered include:
"Just enable MFA everywhere" — why focusing only on RDP leaves SMB, WinRM, service accounts, and legacy protocols wide open
"EDR will catch it" — the danger of over-relying on a single control, including a little-known CrowdStrike behavior where it self-disables on domain controllers at 90% resource utilization — often completely unnoticed
"Patch everything immediately" — why blind speed creates its own operational risk, and how to build a prioritized, high-risk patching process that actually works
"Least privilege everywhere" — why removing permissions without providing alternatives drives workarounds, shared accounts, and exceptions that undo the whole point
"Follow the framework and you're secure" — why compliance is a starting point, not a finish line, and what most standards actually require vs. what actually reduces risk
Focusing on attack paths over checklists — why thinking like an attacker leads to better security decisions than ticking boxes
Brad and Spencer close with what actually works: context-driven decisions, management buy-in, clear communication when making sweeping changes, and validating every control through internal penetration testing. As Spencer notes, most clients don't have full confidence in their EDR and SOC after a pentest — and that's exactly why trust but verify matters.
Also mentioned: Spencer and Brad's upcoming Tools of the Trade workshop at the ILTA Evolve conference in Denver.
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

In Episode 175, Spencer and Tyler break down NetTools — a free, self-contained Active Directory management and troubleshooting tool that’s become a go-to for their internal penetration testing engagements.
They start with the backstory: years of relying on AD Explorer from Microsoft Sysinternals, and the growing need to evade EDR detections. At one point, that meant manually obfuscating binaries with a hex editor. NetTools eliminates that friction entirely — no installation, no dependencies, no signatures to fight.
Topics covered include:
Why NetTools replaced AD Explorer and how EDR pressure forced the shift
Group Policy enumeration, including how to spot dangerous GPO permissions like authenticated users with write access to server OUs
LDAP Search & Browser for querying AD, identifying risky data (like passwords in descriptions), and exploring object relationships
Assigned Trustees & Permissions Reporter for fast, visual identification of misconfigurations
How to run NetTools from non-domain-joined machines using saved credential profiles
Password checker functionality for targeted validation without spraying the environment
For pentesters, it’s a faster way to get visibility into AD risk. For IT admins, it’s a practical way to audit and harden your environment.
NetTools combines the functionality of multiple tools into one portable utility. Learn more at nettools.net. Credit to creator Gary Reynolds.
NetTools | The Swiss army knife of AD troubleshooting
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.