I Built DLP Into My AI Stack. Then I Found Six Ways Around It.
Seven findings against a Presidio + LiteLLM DLP stack -- guardrails silently fail, encodings bypass detection, and Open WebUI stores every prompt unmasked.
Homelab
Five AI Security Tools Found What Curl Already Knew -- But Faster, and With Receipts
Julius, Augustus, Garak, Promptfoo, and AI-Infra-Guard run against the same Ollama target from the prequel -- same vulnerability, but structured bypass rates, named CVE matches, and repeatable test configs that survive a security review.
I Stood Up a Vulnerable AI Chatbot and Watched It Fall. CVE-2025-64496, Every Step.
Full attack chain against Open WebUI v0.6.33 -- from a chat message to root RCE, admin JWT forgery, and persistent backdoor. CVE-2025-64496 exploitation with every command and dead end documented.
Before You Can Break It, You Have to Build It Wrong
Deploy the intentionally vulnerable Open WebUI v0.6.33 + Ollama 0.1.33 lab stack on Debian 13 from scratch -- Docker, compose file, API account setup, and every gotcha for CVE-2025-64496 lab reproduction.
Hardening Authentik: Every Misconfiguration I Found in My Own IdP
How to harden Authentik 2025.12.3 -- localhost bind, HAProxy path blocking and rate limiting, OpenBAO AppRole secrets injection, akadmin deactivation, and Docker worker capability hardening. Every command, every dead end, every lesson.
AI Infrastructure Isn’t Magic — It’s the Same Problems You Already Know, Stacked Differently
Understanding how self-hosted AI is built is the fastest way to understand what ChatGPT, Claude, and Gemini are actually doing with your data — and where your discipline’s failure mode lives.
I Broke My Own Identity Provider
A complete live audit of Authentik 2025.12.3 — every command, every dead end, every lesson. 10 of 15 findings confirmed exploitable including full RCE from a non-superuser account, database compromise, and a two-command path to god-mode. Zero downloaded tools.
I Hardened a Grafana Stack From "Please Hack Me" to Production-Ready. Here's Every Command I Ran.
A complete live hardening session for a Grafana monitoring stack -- every command, every failure, every fix. 15 vulnerabilities across seven categories, from anonymous access and exposed Prometheus endpoints to plaintext secrets and a single browser tab that broke the rate limiter.
15 Vulnerabilities in a Grafana Monitoring Stack (And How We Found Them)
A full vulnerability assessment of a Grafana/Prometheus monitoring stack across two VLANs. 98 commands, 15 confirmed vulnerabilities, and the investigative chain that led to each finding -- including the dead ends.
Authentik + Grafana: OAuth SSO Across VLANs and the 11 Things That Broke
A complete walkthrough of deploying Authentik as an OIDC provider for Grafana and Prometheus across a multi-VLAN lab, including every issue encountered, the diagnostic reasoning behind each fix, and the security trade-offs made along the way.