genai security researcher · ai red teamer · offensive security writer
I'm Kai Aizen — independent offensive security researcher. I break production systems — Linux kernel, Kubernetes, container runtimes, OSS libraries, and the LLMs increasingly woven through them — then publish the methodology.
Social engineering and prompt injection are the same attack class, executed against different substrates. The frameworks, tooling, and research below all trace back to that thesis.
Creator of AATMF / P.R.O.M.P.T / SEF · Author of Adversarial Minds
30 CVEs · 5 mainlined Linux kernel patches · Hakin9 contributing author
| Project | Description |
|---|---|
| AATMF v3.1 | Adversarial AI Threat Modeling Framework — 20 tactics, 240+ techniques, 2,152+ procedures, 4,980+ prompts. Crosswalks to OWASP LLM Top-10, NIST AI RMF, MITRE ATLAS, EU AI Act. On OWASP GenAI Security 2026 roadmap. YARA + Sigma detection signatures included. |
| AATMF Toolkit | Python CLI for systematic LLM safety testing — three-layer evaluation pipeline, defense fingerprinting, regression tracking, attack chain planning. Mapped to the full AATMF taxonomy. |
| Claude-Red | Curated library of 58 offensive security skills across 13 categories (web, wireless, exploit-dev, infrastructure, cloud, AD, auth, fuzzing, recon, AI, IoT, mobile, utility) for the Claude skills system. Drop a SKILL.md into your environment and Claude operates as a specialist — SQLi to shellcode, EDR evasion to ADCS abuse. Trigger-loaded on demand; zero context cost for unused skills. |
| LLM Red Teamer's Playbook | Diagnostic methodology for bypassing LLM defense layers — input filters → alignment → identity → output → agentic trust. Mapped to AATMF taxonomy. |
| Burp MCP Toolkit | Skills-based security analysis framework combining Burp Suite traffic capture with Claude Code reasoning via MCP. Expert pentest methodology encoded into reusable skill files. |
| JystDastIt | The Burp You Can Afford — open-source CLI DAST toolkit for web application vulnerability scanning and XSS detection. |
| SnailObfuscator | Structurally-aware code obfuscation engine — polymorphic payload generation that bypasses static and behavioral detection. |
| P.R.O.M.P.T | Adversarial prompt engineering methodology — structured attack phases with Cialdini influence principles and PHLRA context injection. |
| SEF | Social Engineering Framework — organizational gap analysis (Authority / Process / Trust / Pressure / Knowledge), pretext selection, MITRE ATT&CK mapping. |
Published at snailsploit.com, Hakin9 Magazine, and Medium.
| Paper | Summary |
|---|---|
| Self-Replicating Memory Worm | Autonomous persistence chain — skill injection + memory poisoning = self-healing implant. Four-stage kill chain, no jailbreak required. |
| Memory Injection Through Nested Skills | Dual-persistence architecture: memory slots and skill files, each restoring the other on boot. |
| Weaponized AI Supply Chain | End-to-end supply chain attack through AI agent skill injection, validated against DVWA and Juice Shop. |
| AI Gateway Threat Model (TC-21) | First generalized threat model for AI gateways — 8 attack vectors, proposed as AATMF v3 TC-21. |
| MCP vs A2A Attack Surface | Comparative threat model — where MCP and Agent-to-Agent diverge in trust boundaries. |
| The 30% Blind Spot | Empirical study showing LLM-as-judge safety classifiers miss ~30% of adversarial output classes. |
| AI Breach Detection Gap | Detection blind spots in AI-integrated production systems. |
| AI Coding Agent Attack Surface | Attack surface analysis of AI-powered coding assistants and their tool-use capabilities. |
| Agentic AI Threat Landscape | Threat landscape survey of autonomous AI agent architectures. |
| Adversarial Prompting: Complete Guide | End-to-end methodology — direct, indirect, multi-turn, and agentic prompt injection. |
| Computational Countertransference | The psychology of human–AI manipulation dynamics. |
| AATMF v3.1 vs MITRE ATLAS | Framework comparison showing coverage gaps in existing AI threat taxonomies. |
| The Memory Manipulation Problem | How attackers exploit persistent context to compromise future interactions. |
| ChatGPT Canvas DNS Exfiltration | DNS exfil via ChatGPT Canvas — rendered content triggers DNS lookups without outbound HTTP. |
| ChatGPT Sandbox RCE + DNS Exfil | Pickle deserialization RCE chained with DNS exfiltration to escape Code Interpreter sandbox. |
| Double AI, Triple Mechanism | Cloud-based obfuscator attack research. |
| Linux Kernel io_uring/zcrx Race Condition | Race condition → double-free → OOB write in io_uring zero-copy receive. Mainlined; assigned CVE-2026-43121. |
Sorted by target reach — core infrastructure first, WordPress plugins last. Severity is the secondary sort within each tier.
| # | CVE | Target | Type | Severity | Status |
|---|---|---|---|---|---|
| 1 | CVE-2026-43121 | Linux Kernel io_uring | user_ref race → double-free → OOB write |
Medium (4.7) | Published |
| 2 | CVE-2026-3288 | Kubernetes ingress-nginx | Config Injection → RCE | High (8.8) | Published |
| 3 | CVE-2026-30911 | Apache Airflow Core | Missing Auth (HITL) | High (8.1) | Published |
| 4 | CVE-2026-32794 | Apache Airflow (Databricks Provider) | TLS Verification Bypass → MitM | Medium (4.8) | Published |
| 5 | CVE-2026-8368 | Perl LWP::UserAgent / HTTP::Tiny |
Zero Header Strip on Cross-Host Redirect | — | NVD: RESERVED |
| 6 | CVE-2026-45363 | jwt/ruby-jwt | Empty-key HMAC Bypass | 7.4 | NVD: RESERVED |
| 7 | CVE-2026-31899 | CairoSVG | Exponential DoS — Recursive Amplification | High (7.5) | Published |
| 8 | CVE-2026-44840 | Dgraph | DQL Injection via checkUserPassword GraphQL Query |
High | Published |
| 9 | CVE-2026-33693 | activitypub-federation-rust | SSRF — 0.0.0.0 Bypass |
Medium (6.5) | Published |
| 10 | CVE-2026-32885 | ddev/ddev | ZipSlip | Medium (6.5) | Published |
| 11 | CVE-2026-32809 | ouch (Rust) | Symlink Escape | High (7.4) | NVD: RESERVED |
| 12 | CVE-2026-44217 | sse-channel (npm) | SSE Injection — Unsanitized Fields | Moderate | Published |
| 13 | CVE-2026-43884 | AVideo | SSRF Protection Bypass via DNS Rebinding | High | Published |
| 14 | CVE-2026-45620 | AVideo | CVE-2026-43881 Incomplete Fix | — | Published |
| 15 | CVE-2026-45619 | AVideo | CVE-2026-43884 Incomplete Fix — 6+ isSSRFSafeURL() sites discard $resolvedIP out-param at master HEAD post-603e7bf |
— | Published |
| 16 | CVE-2026-3596 | Riaxe Product Customizer (WP) | Missing Auth → Priv Esc | Critical (9.8) | Published |
| 17 | CVE-2026-3599 | Riaxe Product Customizer (WP) | Unauthenticated SQLi | High (7.5) | Published |
| 18 | CVE-2026-3594 | Riaxe Product Customizer (WP) | Info Disclosure — /orders |
Medium (5.3) | Published |
| 19 | CVE-2026-3595 | Riaxe Product Customizer (WP) | Unauthenticated User Deletion | Medium (5.3) | Published |
| 20 | CVE-2026-1313 | MimeTypes Link Icons (WP) | SSRF | High (8.3) | Published |
| 21 | CVE-2025-9776 | CatFolders (WP) | SQLi via CSV Import | Medium (6.5) | Published |
| 22 | CVE-2025-12163 | Omnipress (WP) | Stored XSS | Medium (6.4) | Published |
| 23 | CVE-2026-2717 | HTTP Headers (WP) | CRLF Injection | Medium (5.5) | Published |
| 24 | CVE-2026-0811 | Advanced CF7 DB (WP) | CSRF → Form Deletion | Medium (5.4) | Published |
| 25 | CVE-2026-0814 | Advanced CF7 DB (WP) | Missing Auth — Subscriber+ Export | Medium (4.3) | Published |
| 26 | CVE-2026-1314 | 3D FlipBook (WP) | Missing Auth | Medium (5.3) | Published |
| 27 | CVE-2025-11171 | Chartify (WP) | Missing Auth — Admin Function | Medium (5.3) | Published |
| 28 | CVE-2025-11174 | Document Library Lite (WP) | Missing Auth → Info Disclosure | Medium (5.3) | Published |
| 29 | CVE-2025-12030 | ACF to REST API (WP) | IDOR | Medium (4.3) | Published |
| 30 | CVE-2026-1208 | Welcart (WP) | CSRF → Settings Update | Medium (4.3) | Published |
Five patches across io_uring, IPC, Bluetooth, RDMA, and networking — all mainlined through the standard kernel maintainer process.
| # | Subsystem | Vulnerability | Status |
|---|---|---|---|
| 25 | io_uring/zcrx |
Fix user_ref race between scrub and refill paths → double-free → OOB write (CVE-2026-43121) |
✅ Mainlined 7.0-rc1 |
| 26 | net/tipc |
tipc_mon_peer_up/down/remove_peer UAF |
✅ Mainlined |
| 27 | Bluetooth/hci_conn |
UAF in create_big_sync and create_big_complete |
✅ Mainlined |
| 28 | RDMA/ionic |
Bound node_desc sysfs read with %.64s |
✅ Mainlined 2026-04-20 |
| 29 | net/rtnetlink |
Zero ifla_vf_broadcast to avoid stack infoleak |
✅ Mainlined |
All patches on lore.kernel.org →
| # | ID | Target | Type | Status |
|---|---|---|---|---|
| 30 | — | TelSender (WP) | Unauthenticated Stored XSS via Telegram Chat Title (7.2) | Plugin shut down by vendor |
| 31 | GHSA-j425-whc4-4jgc | OpenClaw | system.run env override RCE — allowlist bypass (6.3) |
Published |
| 32 | GHSA-gxhx-2686-5h9g | slack-go/slack | Security advisory | Published |
| 33 | — | @linear/sdk |
LinearWebhooks.verify accepts empty secret without precondition |
Merged ($400 bounty) |
| Metric | Count |
|---|---|
| Published / assigned CVEs | 30 |
| — of which NVD-reserved (CVE-assigned, not yet on NVD) | 3 |
| Mainlined Linux kernel patches | 5 |
| GHSAs / vendor disclosures / bounties | 4 |
CVE-2026-43121 is the assigned CVE for the mainlined
io_uring/zcrxpatch — counted once under CVEs (#1); it is the same finding as kernel patch #25.
Sources of record: Wordfence · GHSA Credit · GitHub · lore.kernel.org
| Tool | Description |
|---|---|
| SnailHunter | AI-powered bug bounty automation — LLM analysis combined with traditional security scanning. |
| KubeRoast | Red-team Kubernetes misconfiguration & attack-path scanner. |
| Xposure | Autonomous credential intelligence platform for attack-surface recon. |
| SnailSploit Recon | Chrome MV3 extension — passive recon, security headers, IP intel, CPE→CVE enrichment. |
| Awesome-Snail-OSINT | Curated OSINT resource collection for offensive recon. |
same attack. different substrate.