James Hay | OSCP | OSWE | CRTO

Hello, my friend. Stay a while and listen.

10 minute read

it is the first of june, half way through the year 2026, and this is the first new post for the year. as per usual, i have fallen victim to cooking too many things at once, and will have approx 7 or so different posts to put up at once because that historically seems to be how i move through things. this however, is not a project post. this is a good old fashioned rant. it hasnt been proofed and it wont be because i am ill and need to get these thoughts out before my head explodes.

here is a short tldr of the topics i will move through in some way shape or form.

  • the death of the cyber hype cycle
  • VR was accepted only while the hype cycle was alive and everyones true colours are now coming out
  • you cannot prevent a 4th/5th/nth upstream party selling their credentials to an IAB
  • the entire world has been poisioned by hyper gamification and this is why you all love vibe coding so much
  • bug bounties are dead, (maybe) long live bug bounties

its been about half a decade now that my title has the word security in it, but its been about 15 years and counting that my job has involved security. i have said this for years to anybody that will listen and even beating those that wont over the head with it; cyber and security are nothing but functions of IT. they are not seperate domains, you are not the military with your 5 planes of battle space. app control, network segregration, removing the any/any rule in the fortigate that makes your myob work (which it DOESNT! the activation server was just down and came back up when the rule was added, it was a coincidence!) all belong to IT.

there used to be a literal wizard with a beard about 3 foot long who could tell you exactly how to set up the solaris server with its tunnel of reverse ssh proxies necessary to interface from the superannuation program running on the box and the timesheet results from CICS on the mainframe through RACF. this man, knew all about security. this man, was always part of IT and did not have a seperate segmented zone to sit in.

and somewhere along the way, perhaps we can blame crowdstrike, i dont know and i dont really care, marketing and perception forced some sort of schism; IT became janitorial and cyber became the new hotness, the sexy thing to do when you want to make 200k a year despite not knowing how to spell the word computer and perhaps most tellingly not actually giving a flying fuck about computing.

and it becomes cool! it becomes trendy! wow ethical hacking! beating the bad guys by being a bad guy (despite almost NOONE a) paying for a real red team or b) being comfortable with what actually goes down in a real red team and running it back to a PT where you dont even touch the sides of real bad guys)! no not that soc stuff, thats janitorial! thats IT! get me out of there and into the red team! and so you end up with people moving from sales into pentesting and being shocked and surprised that theres an ENORMOUS trove of prereqs to absorb to not be dangerous.

cyber for all! everyone wants cyber! yes cyber for me please! yes please give me a red team engagment! wait what the FUCK do you mean you are going to deploy deepfake voice cloning of the ceo to trick helpdesk into resetting his password? how dare you even THINK of forging tokens of the soc analysts and deleting your own logs out of the siem? in what world do you think i want you to shim the locks to the facility and drop an implant? Yes i know i asked for a red team but this is just unacceptable! this is criminal!

this is criminal. yes, the final retort of coomputer related endvevours that result in another party losing face. when clients balk at the reality of what activities previous succesful red team engagmeents undertook, its always a two sided coin where some varient of “this is illegal” (thats against our policy, that is unorthodox) is backstopped by the real issue of “if you do this and are succesful, we will look like idiots”. i dont think the coin analogy fit but my head hurts and im not thinking of a new one. we will be coming back to this later.

there is an absolutley ENORMOUS chasm between customers and consumers of offensive services who embrace shift left and integrate consultants as part of their lifecycle, and those who are amazed and upset that you cannot simply walk up to the front desk and order “1x pentest” for 3 days across a multi forrest domain and have it meaningfully represent ANYTHING, as well as being amazed that we will not infact give them legal documentation saying you are unhackable to pass to their insurance teams afterwards.

and that second group of clients reveals an unpleasant truth about the hype cycle; offensive security during the hype cycle was only ever allowed to exist via polite lip service due to the changing market forces making it sexy and hot, and overwriting the REAL thoughts that everyone actually finds it offensive (hue) and criminal.

approx a year ago i ranted on this particular topic in short form, but more aimed at individuals calling for the criminalisation of offensive tooling // vuln research, but now, today, microsoft has shown their real stance. they know the hype is dead, they know “cyber” has gone back to the IT teams (where it should have never left!) and they know, because they always understood it, security IS janitorial in nature. mop the floor, clean the spill. lock the doors, change the keys. pentesting is nothing but QA - hows THAT for a sexy life changing career you should get into to make millions and not have to deal with stinky computers?

and microsofts latest post calling for the deployment of the cyber police in a threat somewhat reminscant of the jessi slaughter saga but infinitely more serious and likely to have real world ramifications, brings us full circle to the 2000s. this is criminal, cry ms at being made to look the fool for a string of vulns they ignored. “how dare a measly researcher find these things that we, microsoft, titan of industries, missed? how foolish do we, micrsoft, look in the face of ever escalating pressure to adaquetly respond to security research but instead choosing to deny people their livelihood by marking things as not violating a security boundary, listing research as NA and then issuing a patch, threatening researchers for disclosing the CVE number for a finding? why wont these criminals just stop!”

“criminals, criminal criminals! criminals committing cyber crimes causing computer concern! chicanery! dont these researchers understand the world would be safer if they all just stopped this activity? if everyone in VR just stopped looking for vulns, there would be no more exploitation!” - the dastardly cry of the utterly derranged.

but as i said before, this mentality has been leaking out of the cyber hype cycle circle jerk for a while now, with people looking to try and score cheap brownie points by having the same opinion on internet saftey as their favourite conglomorate in a desperate, exasperated attempt to retain employment in the positively fucked market environment. its just now orgs have no need to pretend anymore; VDP budgets are being dried right up, literal threats being deployed, teams being excised but above all an enormous desire, compulsion, NEED for these billion and trillion dollar orgs to not save face by blaming the existence of any issues in their products on the discoverer of said issue.

exactly how far removed from a functioning brain does one need to be to be physically unable to reach the conclusion that if a sole operator with a laptop can find these vulns and weaponise them, obviously real threat actors and actual criminals are finding them too? “but it makes it easier for criminals!” except it toally does NOT. am i going to a) keep abreast of what is new and popping in sploit land when im not being paid for it as part of my job in IT, or b) hit up my local access broker for some valid creds to an MSP?

and so we move again into an observation i have made year after year anytime i have to talk to C levels about threats and the landscape; people selling their creds is an unstopable problem. it cant be solved. theres no measure that can be installed, policy written or procedure theatrically played out. all one can do is mitigate the damage it will cause (do note i said WILL and not CAN, because somewhere along the line, one of your (yes YOU personally) upstream dependencies will have their own upstream depenency that will have someone happily trade their helpdesk creds for $5000. cause if youre making 3/5ths of fuck all at the age of 19 at a job you hate almost as much as you hate yourself, as if you wouldnt.

all you can do is make sure your garden is as well tended as it can be; you have segmented properly, you have POLPd and PLOPd and POLOd and YOLOd, you have minimised the blast radius. one may be wondering how this ties back to shouting at m$, and the answer is, using metrics i have procured from deep inside my own anus, significantly more damage is being done with any of your random supply chain attacks that crop up basically every single day of the past few years than any (and realistically, all) of Nightmare Eclipses releases. because someday, all of these will be patched and mitigated. there is nothing you can do against a credential sale.

there is also nothing you can do when a developer of the paas platform your paas platforms developer uses gets fucked by a malicious roblox mod the first platforms dev put onto his work laptop, with excessive share perms via ANOTHER platform leading back to the paas platform you actually use. make sure to read that carefully and see how many steps away from you, the innocent end user, this is, and how you, the innocent end user, can do ABSOLUTLEY NOTHING about this.

but, its all the fault of offsec. if only a tool doing what psexec has done for decades didnt exist on github, this developer would have never been able to download a backdoored game mod onto his work laptop!

vdp payouts being lowered, companies acting openly adversarial to researchers and testers now the hype cycles fall out of favour, programs being closed in favour of putting that money into tokens, researchers publically discussing brokers instead of the traditional bounty hunting process and it appears the industry on both sides might be sick of bb. one of the largest disparities i have come across in pentesting vs hunting, and this should be stunningly obvious to anyone whose made it this far, is pt clients care far, far more for a remediation plan than being shown impact.

and i think this might be where we are at; the traditional model has reached an inflection point of so what. “oh, you found another lpe? just chuck it on the pile of other lpes weve got to work through.” what a world to live in where an entire new attack class has opened up via the frag lpes and its been a somewhat collective shrug after the 4th.

i think the change may be somethign more akin to what geohotz was trying with tinygrad where you get paid for PRs you submit that fix shit. “woah you want people to do m$ work FOR them?” what do you think all this free vr is? they arent getting paid for it anyway with the trash handling of issues, so perhaps the answer is to pivot to doing the work for them that they WILL pay for.

it is time to round this post out and lie the fuck down because i am very, very ill and acciedentally coughed on the amazon delivery driver bringing me my copper tape that i am using for another upcoming project. astute readers will note i really not cover the ai topic, and truthfully that sentence in the tldr encapsulates it perfectly and b, if you simply read my old gamification article and mentally regex in the word ai instead of fisher price platform, the entire article stands perfectly well.

You May Also Enjoy

Time Dulls the Bleeding Edge

15 minute read

Whilst at first glance it might read like a depressing sounding title, this is actually a reframing of a negative thought pattern i had for most of the year ...

Running LLMs on a Raspberry Pi 3

5 minute read

There is a saying I read in a book some time ago, I dont fully recall the wording and I am going to make 0 attempt to look it up, but the sentiment was “the ...