From the trenches

I sell AI-assisted pentesting tools. So I pointed them at my own site. Found a publicly readable license key database, directory listing exposing every API file, and 11 other findings. Here's the full assessment, the methodology, and what I fixed.

A coworker forwarded a suspicious email attachment that got past the spam filter. Instead of deleting it, I loaded it into Ghidra MCP. What came out was a fully functional Remote Access Trojan with keylogging, screen capture, credential harvesting, and dead-drop C2 infrastructure. Full walkthrough.

Every automated scanner bounced off Cloudflare. So we stopped scanning and started asking. The WordPress REST API told us everything — usernames, plugin stack, media library, infrastructure IDs. Here's how AI-assisted manual enumeration found what traditional tools couldn't.