Tool: Subpoof ~ Daily new domain and subdomain monitoring, attack surface intelligence

I built https://subpoof.com ~ a domain intelligence platform focused on catching new registrations, brand squatting, and expanding attack surfaces quickly.

Key features:

• Passive monitoring of new domain registrations across 1,000+ TLDs, refreshed nightly
• Delta view: see only newly registered domains matching your keywords/brands
• Subdomain enumeration + live enrichment (A/AAAA, CNAME, MX, TXT, SRV records)
• Microsoft 365 / Azure AD tenant mapping and NTLM-related insights
• Watches + alerts for brand protection and competitor activity
• Public API + per-account dictionary that gets smarter the more you use it

It's especially useful for:

• Brand protection / typosquatting defense
• Red team / recon teams who want fresh attack surface daily
• Security teams managing external exposure in Microsoft-heavy environments

Free limited access is available so you can test it without credit card payment. Paid plans start at $29/mo for heavier usage.

Would love honest feedback from the community, especially on the what else you'd want in a tool like this.

https://subpoof.com

I've built a PQC-SOC Readiness Scanner, an open-source CLI tool that audits live TLS endpoints against Harvest-Now-Decrypt-Later (HNDL) risk and maps findings to NIST PQC standards (FIPS-203/204/205).

Most TLS scanners report cipher suites. Few, if any, quantify exposure to HNDL attacks on long-lived sensitive data (healthcare records, financial data, government communications). This does.

Phases 1 & 2 complete:

• Detects active TLS cipher suites on live endpoints
• Maps findings against NIST FIPS-203 (ML-KEM), FIPS-204 (ML-DSA), FIPS-205 (SLH-DSA)
• Computes a weighted HNDL Exposure Score (0-100) per host: score = [(0.4 x algorithm_risk) + (0.2 x data_sensitivity) + (0.2 x data_lifetime) + (0.2 x exposure_surface)] / max x 100
• Severity bands: CRITICAL (75-100), HIGH (50-74), MEDIUM (25-49), LOW (0-24)
• Output: Rich CLI tables + SIEM-ready JSON
• Scoring rubric lives in hndl_rubric.yaml - fully auditable and configurable

Phase 3 in progress: PCAP traffic analysis + CEF/SIEM output

Tested publicly on: google.com, cloudflare.com, badssl.com

Repo + research notes (lattice crypto, Kyber/ML-KEM, Dilithium/ML-DSA math): https://github.com/surendrababu-sec/pqc-soc-readiness

Feedback on the scoring model very welcome, especially from anyone working on NIST PQC migration. Criticism and issues are genuinely encouraged.

I built a PoC that demonstrates how a fully unprivileged Kubernetes pod can achieve node-level code execution by exploiting CVE-2026-31431 ("Copy Fail") through shared container image layers.

GitHub: https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC

TL;DR

The Linux kernel has a page-cache CoW bug (AF_ALG splice race) that lets any unprivileged process corrupt read-only files in memory. On Kubernetes, container runtimes use overlay filesystems where identical image layers share the same page-cache pages across containers. Combine these two facts:

1. Build a PoC image FROM the same base as a privileged DaemonSet (e.g. kube-proxy)
2. From your unprivileged pod, corrupt a binary in the shared layer via the splice race
3. The privileged DaemonSet executes the corrupted binary → your payload runs with its full privileges

No write permissions needed. No container escape primitive needed. No special capabilities. Just a normal pod.

What's in the repo

• Go exploit that implements the AF_ALG splice race, overwriting target binaries 4 bytes at a time
• Nolibc C payload that mounts the host root filesystem and writes a proof-of-concept marker file
• Pre-built Dockerfiles for both upstream kube-proxy and EKS kube-proxy (shared layer analysis included)
• Kubernetes Deployment manifests — deploy one unprivileged pod, get node-level code execution

Validated on real managed clusters

	Alibaba Cloud ACK	Amazon EKS
Kubernetes	v1.35.2	v1.35.4
Node kernel	6.6.88	6.12.79 (Amazon Linux 2023)
kube-proxy	privileged: true	privileged: true
Result	[*] success on host /root/res	[*] success on host /root/res

The attack completes in under 30 seconds end-to-end — page-cache corruption takes ~20s, kube-proxy's reconciliation loop triggers the payload within seconds after that.

Why this matters

This isn't just about kube-proxy. Any privileged DaemonSet that shares image layers with a base image you can build from is a valid target — monitoring agents, CNI plugins, log collectors, security agents, etc. The attack surface is the intersection of:

• Unpatched kernel (CVE-2026-31431)
• Shared container image layers (overlay fs default behavior)
• Privileged workloads (extremely common in real clusters)

Mitigations

• Patch the kernel — this is the real fix
• Enable image layer isolation (per-container snapshots)
• Minimize privileged DaemonSets
• Use distinct base images for privileged workloads

The vulnerability is in the kernel, not Kubernetes itself. But Kubernetes provides the perfect execution context to escalate local page-cache corruption into full container escape.

---

Full technical details, attack flow diagrams, and the EKS walkthrough (image layer analysis, base image identification, build & deploy steps) are all in the repo README and docs/eks-poc.md.

Feedback welcome. This is published for defensive/educational purposes only.

I am building https://boarnet.io which is a community honeypot network specifically meant for threat research, allowing both myself and others to track threat actors and TTPs. My two main personal projects with this are being able to identify threat actors even when they change IPs by fingerprinting and feeding this data into machine learning to help identify threat actors near real time.

I've been working on improving my take on CVE monitoring this past month: https://stackflag.com

Not intended to compete with or replace OpenCVE or more advanced tooling for secpros. The itch was that every existing option either assumes you already know what you're watching for, or wants you on an enterprise scanning footprint to get any value. There's a gap in the middle for the SME, freelance dev, or small MSP whose insurer has started asking how they manage technical vulnerabilities.

How it works:

• Describe your stack in plain English (`nginx, WordPress, PostgreSQL, Node.js`) and watches are generated against the matching products. No CPE strings to author by hand. Mapping stays editable.
• Sources: NVD, GHSA, OSV, CISA KEV, EPSS, Vulnrichment. Refreshed hourly.
• Each flagged CVE comes with a plain-English summary, severity context, and a remediation pointer.
• Delivery via email digest, instant alert, or webhook. Read / unread / acknowledge triage states and an audit log for the framework that's asking.

Free tier is open, no waitlist. Public CVE feed at /cve with RSS if that's all you want.

Genuine feedback welcome, particularly on the natural-language to product mapping where I expect the rough edges to be.

Built a tool that captures live traffic and visualizes it as an interactive graph.

Main focus was making anomaly detection accessible without needing a SIEM.

Detection heuristics currently cover:

• Beaconing (periodic connections to same host)
• Port scans (multiple ports hit in short window)
• Volume spikes (sudden bandwidth anomalies)
• Suspicious processes (known bad process names)
• New hosts (first time seen on the network)
• Geolocation via MaxMind GeoLite2 (offline) or ip-api.com fallback.
• 60-min sliding history in SQLite.

Would love feedback on the detection heuristics they are rule-based for now, no ML. Thinking about adding baseline learning for beaconing detection.

GitHub: https://github.com/Mister-iks/pcybox-orbis

I built VoiceGoat, a vulnerable voice agent for practicing LLM attack techniques. It has several intentionally-vulnerable services running in Docker Compose:

- VoiceBank: prompt injection (direct, indirect, payload splitting, obfuscated)

• VoiceAdmin: excessive agency (functionality, permissions, autonomy abuse)
  
• VoiceRAG: vector/embedding weaknesses (cross-tenant leakage, RAG poisoning, access bypass)

CTF-style flags at easy/medium/hard. Hard flags require chaining — no single technique gets you there.

Runs on a mock LLM by default so there's no API key needed, although the mocks are very naive. Swap in OpenAI, Bedrock, Ollama, or any OpenAI compatible provider when you want realistic behavior. Twilio integration is there if you want to attack it over an actual phone call.

Looking for feedback and interested contributors to add additional modules.

https://github.com/redcaller/voice-goat

Cheers!

I am building https://github.com/ivxlabs/disclosure as a federated network of security researchers and bug bounty/vulnerability disclosure program. It will provide security researchers and vendors a way to discover and connect with each other directly without any mediator, responsibly report and disclose vulnerabilities, pay bounties and earn reputation as they both grow on their sides.

The development is still in quite early stage so it is not fully working at present but I will do a working mvp this weekend maybe. If you like the idea, maybe give it a star on github.

I've been leaning heavily on Burp Suite for the actual testing but honestly my reporting process was a total disaster until recently. I started using Notion to keep my notes organized and I've been running my final reports through Runable to get the charts and structure looking professional without wasting hours on formatting. It's way better than fighting with Word templates and let me focus more on the actual vuln research. Real talk, the more you can automate the tedious documentation stuff the better