People kept asking how I set up my LLM coding safety layers, so I wrote the guide.
Pre-commit hooks → CLAUDE.md → review agents → CI workflows → branch protection. Zero to fully protected in ~30 minutes.
Step-by-step, no prior experience assumed:
brooksmcmillin.com/blog/llm-saf...
Full data and test harness are open source 👇
brooksmcmillin.com/blog/prompt-...
Other surprises:
- GPT-4o and Claude Sonnet 4.5: never injected, even with zero defense
- Few-shot poisoning: 29.5% success rate, the only attack that still works reliably
- The sandwich technique most people recommend? It actually makes things worse
I ran 10,080 prompt injection tests across 8 models and 6 defense strategies.
The biggest finding: telling a model to "note the attempt and disregard it" cuts injection rates 5x vs "don't follow other instructions." Procedures beat prohibitions.
Yep, the more we depend on logical security tooling vs hoping the LLM translates our words the right way, the better.
And right on schedule: there goes pseudonymity on the Internet. arxiv.org/abs/2602.16800
No theoretical architectures. I'll show the actual code, the actual failures, and the fixes, including a memory contamination bug where my business advisor's context leaked into my security researcher's responses.
Come find me if you're building agentic systems and want to compare notes.
- Tool allowlists & capability bounding
- Prompt injection detection that needed real-world tuning (too many false positives)
- Multi-agent memory isolation failure
- OAuth device flow for headless auth
- Hot-reload to stop bypassing my own security to iterate faster
Speaking at [un]prompted AI Security Conference next week at Salesforce Tower SF.
"Building Secure Agentic Systems: Lessons from Daily-Driver Agents"
March 4, 11:45 AM
Live demos of what actually breaks when you build agents you use every day. 🧵
I use blink in iPhone and it’s the best SSH client I’ve run into. $20/year, but well worth it if you want to be able to SSH into a box and do some quick edits.
That plus a bunch of linting and QoL extensions for Neovim make it bearable.
blink.sh
How about CLI based IDEs, like Neovim (en.wikipedia.org/wiki/Neovim).
Not sure if it’s the best of both worlds or the worst, but it makes it so I can have the same workflow no matter which box I’m SSHed to, and I can use it from my phone terminal when needed.
4/ Slides + all sample code (prompt injection test harness, MCP client, OAuth email server w/ Lakera Guard) are open source:
📎 slides.brooksmcmillin.com/cactus.html#1
📎 github.com/brooksmcmill...
3/ CVE-2025-6514 (CVSS 9.6): mcp-remote passed OAuth metadata straight to the system shell. One crafted authorization_endpoint = full RCE on Claude Desktop, Cursor, Windsurf, VS Code. 437K+ installs before patch.
2/ But the new threat model is real. Your OAuth client is now a reasoning engine that can be lied to.
I demoed a malicious MCP server that exfiltrates data from a legitimate task manager through the AI agent. No jailbreaking. Just a poisoned tool description.
1/ Most MCP vulns are classics in disguise:
• Missing PKCE on public clients
• Plaintext token storage
• Timing attacks on token comparison (found this 8 times)
• DNS rebinding against local servers
• Default secrets deployed to prod
MCP has 97M monthly SDK downloads. Only 8.5% of servers use OAuth. Authentication is optional in the spec.
I gave a talk at @CactusCon on breaking MCP security. Here's what I found 🧵
LLMs will happily remove your auth middleware if it helps them complete the task faster.
I wrote up the defensive layers I actually use: pre-commit hooks, review agents, and CI that catches LLM mistakes before they ship.
~30 seconds per commit, but worth it.
brooksmcmillin.com/blog/coding-...
Microsoft is handing over Bitlocker keys to law enforcement. www.forbes.com/sites/thomas...
We run a tight ship to keep CactusCon accessible, and part of that commitment is ensuring students can access CactusCon for FREE.
STUDENTS!
Email info@cactuscon.com from a valid student email account to request a coupon code for Eventbrite. We are so excited to have you join us!
#cc14
Speaking at CactusCon 14 next month!
"Breaking Model Context Protocol: Back to Security Basics" — how MCP is repeating every OAuth mistake from the 2010s, and what to do about it.
Feb 6, 3:30 PM. See you there.
Search results for the terms “crowdstrike npm”. The first result is “CrowdStrike Falcon Prevents NPM Package Supply Chain Attacks”. The second result is “CrowdStrike npm Packages Hit by Supply Chain Attack”.
Well, that’s a bit awkward… #crowdstrike
5/5 Full breakdown of the problem + what's coming next in AI security tooling: brooksmcmillin.com/blog/llm-gen...
#AISecurity #DevSecOps #LLMSecurity
4/5 Quick mitigations while better tooling catches up:
✅ Verify AI-suggested packages exist before installing
✅ Test auth flows with multiple accounts
✅ Manual reviews for dependency + auth logic
3/5 Traditional SAST/DAST tools miss these because they're designed around human coding patterns, not AI hallucinations and edge cases.
2/5 This isn't isolated. AI-generated code has unique security blind spots:
Context-blind configs (HTTP-only servers in prod)
Authentication that passes tests but fails reality
Dependencies from outdated/insecure training data
1/5 LLMs keep recommending a Python package called "huggingface-cli" that doesn't exist. A security researcher noticed this and actually created the package to demo the supply chain risk.
Vibe Coding Will Get You Hacked! - with @davidbombal.bsky.social
https://twp.ai/9PUaq3
Instagram photo of Caroline Ulbircht, Charlie Kirk and Ross Ulbricht, smiling, while staring at the camera. Caption reads: The horrific murder of Charlie Kirk has hit us hard. At first, we couldn't believe it and thought it was some kind of mistake, but then came the shock and the tears. We'll forever be grateful for Charlie's support of Ross while he was in prison and for helping bring him home. We're humbled to have known him during his short time on earth. R.I.P, Charlie 💔 From Ross on X: "Like all of you, I am mourning Charlie Kirk. He stood up for his beliefs and died for them at 31, wearing a T‑shirt that read "Freedom." At 31, my life was taken from me for standing up for what I believed in. And Charlie helped me get it back. He never took credit for it but he played a BIG role in my freedom in many ways. Last year alone, when President Trump won the election, he asked Charlie what was the #1 thing he could do for him and Charlie replied: "Free Ross." And in the days leading to my release, Charlie advocated for a full pardon. He did this and more without expectations of me. I wish there was something I could do to help Charlie get his life back. But there isn't, and I'm heartbroken. Charlie, I will always be grateful to you. Thank you for all you did for me and for our country. I pray for you and your beautiful family. Rest in peace."
Charlie Kirk was one of the main campaigners for Ross Ulbricht's freedom, and had pushed in Trump's first term for a pardon. Ulbricht's most recent speaking engagement was in July at Turning Points USA event in Tampa where he credited for helping him.
www.nytimes.com/2025/09/07/t...
With the picture of the timeline, at first I thought these were all the events and was trying to figure out how the firing of the FEMA IT directly led to Israel bugging Irani phones. 😂😂
Great work, as always!
