Pentest-Tools

March was about AI earning its place in the workflow.
In this month's update video, Alice walks you through what we shipped: MCP server integration so your AI assistant can run scans directly, AI-enhanced authentication in the Website Scanner, 5 new Sniper exploits, and more.
Watch it, then check the full change log in the comments.
#offensivesecurity #infosec

1 hour ago | [YT] | 0

Pentest-Tools

Tool sprawl in vulnerability assessment isn't a tool problem, it's a handoff problem. Every transition between scanners is where context gets lost and findings get missed.

We put together a full overview of how the online vulnerability scanners from Pentest-Tools.com approach this: web apps, networks, APIs, and cloud in one environment, with authenticated scanning, ML-assisted triage, and forensic proof attached to confirmed findings.


pentest-tools.com/usage/online-vulnerability-scann…

3 days ago | [YT] | 2

Pentest-Tools

If NVD slowed down again tomorrow, where would your team turn first?

We’re curious which alternatives practitioners already trust, use, or at least keep on the radar.

Vote below, and add your source in the comments if it’s not listed.

#vulnerabilitymanagement #infosec #offensivesecurity #cybersecurity

If NVD, CVE, or CISA KEV became unreliable tomorrow, where would you look next?

4 days ago | [YT] | 1

Pentest-Tools

🏴‍☠️ Least privilege? FuelCMS didn't get the memo.

Any authenticated user (regardless of role) can call the Blocks module endpoint. Pair that with PTT-2025-026 and a low privilege (one could even say zero-permission) account becomes full RCE. CVSSv3 goes from 5.4 to 8.8 faster than you can say "access denied."

No patch. ~4 years of unmaintained software. You know the drill.

Matei "Mal" Bădănoiu and Raul Bledea found the gap. Full PoC can be found in our Offensive Security Research Hub: pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #RCE

5 days ago | [YT] | 6

Pentest-Tools

"There's a version of a cybersecurity career where you're exceptionally good at your job - and almost invisible to the people who could grow it.

Last weekend, Andra Zaharia, our Head of Marketing & Community, spoke to 20 young women at the Girls in Cyber Bootcamp about exactly *that gap*, and how to close it.

The topic? Value engineering: how to turn your technical expertize into business outcomes that grow your career.

Why? Because technical skill and business impact are not the same thing. Most of us are trained in one and left to figure out the other on our own.

What bridges them?

✔️ Learning to ask ""what problem are we actually solving?"" - before building, before presenting, before proposing anything. It sounds obvious. Almost no one does it consistently.
✔️ Understanding that in cybersecurity, success is silent. A breach that didn't happen doesn't celebrate itself. You have to learn to translate invisible outcomes into language that the business can feel: time saved, risk reduced, money protected.
✔️ And knowing that how you show up - with honesty, generosity, and a real point of view - builds the kind of trust that opens doors no certification ever will.

To everyone at #UNbreakableRomania 2026: thank you for building a community where new voices get a real seat at the table!

The next generation of security professionals is in good hands. 🔐

#GirlsInCyber #Cybersecurity #EthicalHacking"

Skip the Carousel

1 2 3 4 5 6

6 days ago | [YT] | 5

Pentest-Tools

Skeptical of AI in #offensivesecurity tools? Good. You should be.

The last thing you need is for AI to:
❌ Generate synthetic or "hallucinated" vulnerabilities
❌ Bypass authorization boundaries, or
❌ Autonomously control scanning engines

That’s why we introduced AI in Pentest-Tools.com only where it *improves precision* or *reduces friction*.

This translates to:
✅ 50% fewer FPs in fuzzing & web app scanning
✅ Deeper crawling coverage
✅ 92% success rate for AI-assisted authentication
✅ More efficient scan orchestration with the MCP server (and more!).
Validation and reporting stay deterministic - and auditable. You keep full control.
See how AI works in Pentest-Tools.com - pentest-tools.com/features/ai

#offensivesecurity #infosec #cybersecurity

1 week ago | [YT] | 4

Pentest-Tools

Razvan Ionescu, our Head of #OffensiveSecurity Services recently gave a heartfelt talk at #BSidesLjubljana. 🇸🇮

He shared the steps, mindset, and what actually worked for him in becoming the penetration tester he is today.

The 3 things he wants you to remember are:

🧠 Be curious, creative, and open-minded

🚀 Embrace challenges that push your limits

🤝 Grow your network and learn from trustworthy sources

The venue was a nice touch too - the Computer History Museum in Ljubljana. Very hackerish energy for a security talk.

Curious how Razvan works in practice? Watch him run a full pentest workflow here: pentest-tools.com/webinars/how-attackers-think

#offensivesecurity #infosec #cybersecurity #BSides

Skip the Carousel

1 2 3 4

1 week ago | [YT] | 5

Pentest-Tools

2.7M people got breach notifications from a company most of them never heard of.

Silent access. No ransomware. Just data walking out the door.

Daniel Bechenea from Pentest-Tools.com breaks down why 3 weeks of read-only access is often more damaging than ransomware, and why SSNs from 2018 are just as useful to attackers today.

Read Daniel's full take here: www.itsecurityguru.org/2026/03/20/2-7-million-hit-…

#cybersecurity #infosec #dataprotection

1 week ago | [YT] | 4

Pentest-Tools

🇷🇴 The cyber-edu.co/ #UNbreakableRomania 2026 final is happening *this week* - and we're excited to support the top 16 teams competing!

Along with the in-person CTF final, 20 young women will join the Girls in Cyber Bootcamp for hands-on labs, mentorship, and a real path into #cybersecurity.

That’s how strong security communities grow: through practice, support, and a room for new people to welcome and nurture them.

Good luck to all finalists and bootcamp participants! Make the best of it! 👊

Learn more about UNbreakable România: unbreakable.ro/

#offensivesecurity #infosec

1 week ago | [YT] | 0

Pentest-Tools

One does not simply exfiltrate a reset token using an email array.

And yet, Frodo (Matei "Mal" Bădănoiu) and Samwise (Raul Bledea) from Pentest-Tools.com did exactly that in FuelCMS.

Know someone's email? That's enough. Slip your address alongside theirs in a “forgot password” request and the token lands in your inbox. Their account is yours. You shall not (safely) parse!🧙

Chain it with PTT-2025-026 and you're looking at a 9.8 Critical unauthenticated RCE. One array to rule them all! 💍

Full PoC here: pentest-tools.com/research

#offensivesecurity #vulnerabilityresearch #infosec #accounttakeover

1 week ago | [YT] | 2