The Builder's Manifesto

Cybersecurity in a world where code is worth nothing

Another agent today.

It's all over Reddit, in every Telegram channel. "I built it over the weekend." "It found a 0-day." "It writes better code than me." Screenshots, demos, euphoria, panic.

Back in the late 80s, when we were pushing ASCII characters across endless green terminals in assembly and FOCAL, nobody thought this would turn into a trillion-dollar industry. We just wanted the machine to obey us, not the other way around.

Now it obeys itself. And we're not the ones making the rules anymore. The rules are making us.

Let's unpack this.

Agentic SAMM

While hunting Claude-planted RCE in Ouroboros, someone had a thought about spirals, Steps Into Infinity, and what OWASP SAMM is missing for agentic development. The result is ASAMM — a security framework extension for teams whose agents have already started biting back.

The core claim: SDLC is not a cycle. It is a spiral. Each iteration returns to the same phase — design, implementation, verification — but the system changed, the tools changed, and the threat model should have changed with them. Most do not.

https://github.com/scadastrangelove/asamm

What is inside:

The Confused Matrix

President Bramp of the United States stepped before the cameras at 03:17 Washington time.

https://medium.com/p/7016de25ab3e

Mind the gravity

A black-box scanner sends its prayers into the dark.

Blackhole answers with pages, headers, flows, lies, half-truths, and—when needed—the unpleasant courtesy of ground truth.

Blackhole is a Python ASGI mock server for black-box scanner testing, education, and reproducible benchmarking. It serves vulnerable-looking behavior from replay profiles and explicit stateful mini-flows, while exposing a truth/scoring API to compare scanner findings against expected cases.

In other words: a scanner can hallucinate, overfit, panic, or boast. Blackhole keeps the receipts.

And every white hat should remember: all requests eventually fall into the black hole.
https://github.com/scadastrangelove/zhet-blackhole

I JUST WANTED TO… GRAFUNA RED TEAM

Observability is about visibility.

Visibility works both ways. If you can see it, someone else can too.

This post is the polite version of a talk I gave. The impolite version is the repo.

https://github.com/scadastrangelove/zeronights2025-GRAFUNA 

EPSS, KEV, and the Joy of Predicting the Past

There is a recurring belief in security that if we just collect enough numbers, the future will eventually confess.

EPSS is one such number.

A clean decimal. A percentile. A promise.

So we asked a boring question: what if you actually ran patch management using EPSS thresholds? Not in theory. Not in slides. In reality—against vulnerabilities that were already exploited.

We took all vulnerabilities added to CISA’s KEV catalog in 2025. KEV is not a model. It is not predictive. It is simply a list of things that were exploited hard enough that someone had to admit it.
Nerds welcome.. 

 

CVE-2025-20352: Exposed SNMP is “not a vuln”? 0kk...

It’s just a friendly UDP oracle telling strangers what your routers are, how old they are, and whether they like to take naps when prodded. Totally fine.

CVE-2025-20352 lives in Cisco IOS/IOS XE’s SNMP stack. Crafted packets + creds = sad router. While everyone argues about advisory footnotes, we do the boring part: find what talks SNMP with default communities and tag what looks at risk.

https://github.com/scadastrangelove/CVE-2025-20352