Detecting Misuse with the Claude Compliance API: The Threat Is in the Content
Detections for Claude Enterprise built on Compliance API content: a prefilter and LLM judge that catch prompt injection, jailbreaks and data exfiltration.
Latest
Auditing Claude Enterprise: Shipping the Compliance API into Your SIEM
In this post I show how to use Anthropic's Compliance API to stream Claude Enterprise audit events into your SIEM, and introduce claude-compliance-sdk, a Python SDK I built to make interacting with the API easier. Why bother? You don't need me to tell you
Going Further with Slack DLP: SIEM Ingestion and Alerting Workflow
This post builds on my previous article explaining how to export Slack DLP alerts using my export script, and also introduces a Python SDK for interacting with Slack DLP. Using these, I’ll show how we can go further by ingesting DLP logs into a SIEM and, finally, building a
Extracting Rich Slack DLP Alerts
Slack’s audit logs don’t include enough context to investigate DLP detections. In this post, I show how to export the richer DLP details Slack displays in the admin console, and I use my slack-dlp-log-extractor script to do it via the DLP API. What is Slack
Returning to the Cookie Jar
In 2023 I wrote a blog post on how you can extract and use cookies from Slack to authenticate to the API, and it has become one of my most commonly viewed articles. Since then, Slack have changed a few things, and I've been doing some deeper digging
Secrets Management Part 2 – Encrypted Secret Retrieval with Gopass
In this post I explain how to use gopass to GPG encrypt and store your secrets locally, then integrate with direnv to decrypt and load your secrets to environment variables in your shell without exposing them in plaintext. In Part 1 of this Secrets Management series I showed you: * How
Probing Slack Workspaces for Authentication Information and other Treats
Did you know that Slack provides some surprising information about a workspace to unauthenticated callers? Slack Watchman knows, and in this post I’m going to show you the information you can enumerate from a workspace, and how you can use the ‘unauthenticated probe’ functionality of Slack Watchman to get
Generating a Rich Custom Wordlist to use with Lil Pwny
In this post I show how you can use some of the same tools that attackers use to generate a tailored custom password list to use with Lil Pwny, and find those risky passwords before they do. As the number of data breaches continue to rise, safeguarding your Active Directory
Lil Pwny Rides Again: Streamline Your Active Directory Password Audits with the New 3.2.0 Update
I'm excited to announce the release of Lil Pwny 3.2.0, featuring powerful new enhancements to the Active Directory password auditing tool. This update brings significant improvements and new features. Following NIST's recommendation in Section 5.1.1.2 of their Digital Identity Guidelines, Lil
Secrets Management - Managing Environment Variables with Direnv
Many of my tools, such as GitLab Watchman, are designed to find secrets hardcoded or added as files to code repositories. Handling secrets this way is a bad idea for a number of reasons, but the main issue is that it leaves them open to being exposed. In this post,
TryHackMe: Squid Game - Attacker 5
This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom. This time we're looking at the last task - Attacker 5 We will use some familiar applications (oledump, cyberchef and vipermonkey) and a new one (scdbgc). Question
TryHackMe: Squid Game – Attacker 4
This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom. This time we're looking at Task 5 - Attacker 4 For this task we're reusing our old faithful tools: oledump and CyberChef Question 1: Provide
TryHackMe Writeups
TryHackMe: Squid Game – Attacker 3
This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom.This time we're looking at Task 4 - Attacker 3 In this task we are going to use; oledump and vipermonkey Question 1 Provide the executable name
TryHackMe Writeups
TryHackMe: Squid Game – Attacker 2
This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom. This time we're looking at Task 3 - Attacker 2 In this task, we're going to use oledump Question 1: Provide the streams (numbers) that
TryHackMe Writeups
TryHackMe: Squid Game – Attacker 1
This series of write-ups is for the TryHackMe Room Squid Game, which you can access here: https://tryhackme.com/room/squidgameroom. This challenge room is one of the few intended for blue teams on TryHackMe, and is categorised as hard, so I thought I would give it a go.
Slack Watchman
Slack Watchman Version 4.0.0 Release
The new version 4.0.0 release of Slack Watchman contains some major upgrades and new features: Centralised signatures The biggest upgrade, in terms of maintenance, to Slack Watchman is the move to store and pull signatures from a centralised repository GitHub - PaperMtn/watchman-signatures: Signature base for Watchman applications
Tradecraft
Retrieving and Using Slack Cookies for Authentication
This post has been updated in December 2025 to account for changes to Slack authentication since it was originally written. Slack, like many other services, uses cookies to store authentication and session information. What is interesting with Slack, however, is that one particular cookie can be used to generate a
Lil Pwny
Lil Pwny - Version 2.0.0 Release
A new year, and a new lease of life for Lil Pwny, which gets some love with the release of version 2.0.0 The new version can be found on GitHub Or can be installed from PyPI: python3 -m pip install --upgrade gitlab-watchman About Lil Pwny Lil Pwny
GitHub Watchman
Keeping the sauce secret - Introducing GitLab Watchman and GitHub Watchman
If your organisation does any development, infrastructure management, or anything with code, you will know that some of your most important data and intellectual property sit in Git repositories. Whether it is down to bad coding practice, mistakes, or oversights, all sorts of confidential data is often stored in repositories
Slack Watchman
Slack Watchman - Version 3.0.0
In what should be the last major version bump for a while, today I release Slack Watchman 3.0.0. This update adds some transformational features that help move Slack Watchman into the realms of being a truly useful solution for enterprise. Slack Watchman is available on GitHub: https://github.
Slack Watchman
Slack Watchman - Version 2.0.0
The past housebound weeks have given me time to continue working on Slack Watchman, and i've now reached the stage of releasing version 2.0.0 The release is available on GitHub: https://github.com/PaperMtn/slack-watchman/releases/tag/2.0.0 The latest version is always
Slack Watchman
Slack Watchman - Monitoring Slack workspaces for sensitive information
About Slack Watchman is an application I have created to search through Slack workspaces and look for sensitive information posted in public chats/channels. This information is then returned to you in the form of CSV files. You can find the project on GitHub here With the whole environment moving
Tradecraft
The Pursuit of Normal: Alerting on Anomalies using Splunk
It seems strange to talk about normal right now considering that, at the time of writing, a lot of the world is under quarantine. Yet in security, normal is something that is important to know. When creating alerts or analysing logs, you want to be notified when something is not
Lil Pwny
Using Lil Pwny - Part 2: Running Lil Pwny and Assessing the Output
💡This post is partially out of date, and should be read in combination with the version 2.0.0 release notes Now that we have our data from Active Directory, it is time to use Lil Pwny to audit the passwords. Getting Ready Installing Lil Pwny is simple from PyPI: