Community
Classroom
Calendar
Members
Map
Leaderboards
About
8d β€’ 🧠 AI Signals
Walk into your next security team meeting with something real πŸ‘‡
Vercel got breached this week. The initial access wasn't even at Vercel β€” it was at one of their vendors (Context.ai). An employee there got hit with Lumma Stealer malware, attackers grabbed their Google Workspace OAuth tokens, and pivoted straight into Vercel's internals. Two months of dwell time. Customer environment variables exposed. ShinyHunters now asking $2M for the data.
No exploit. No zero-day. Just an OAuth grant nobody was watching. Read the story here.
Here's the thing: your company almost certainly has the same exposure right now. Every AI tool your coworkers have connected to Workspace or M365 is a non-human identity with a scope attached β€” an account you can't train, fire, or put behind MFA. Most security teams have never taken a hard look at that inventory. Not because they don't care β€” because nobody's been asking the question yet.
That's the opening.
This is an opportunity to bring this story to your security lead, and say: "I saw what happened to Vercel. I want to make sure we're not exposed the same way. Can I run a quick review?"
That's how you get pulled into AI security work at your current job β€” by spotting the thing before someone asks you to.
The drill (30 min, no budget, high visibility):
  1. Open Google Workspace or M365 admin β†’ Security β†’ third-party / connected apps
  2. Export or screenshot the list, sorted by how broad each app's access is
  3. Flag the three with the widest scopes and note: who approved it, when was it last used, does anyone still need it
  4. Write it up as a one-page brief. Reference the Vercel β†’ Context.ai β†’ OAuth pivot story so leadership understands why you looked.
That one page is the deliverable. Send it to your security lead, your manager, or drop it in your team Slack. Doesn't matter if the findings are boring β€” the act of looking is the value. You just demonstrated threat awareness, business context, and initiative in a single artifact.
If the findings aren't boring, now you're the person who caught it.
Drop your results in the comments. Screenshots welcome (redact tenant info). If you want a second set of eyes on the brief before you send it up the chain, post a draft in here and we'll sharpen it together.
This is the stuff that compounds. One small proactive review turns into "hey, want to own our AI tooling review process?" turns into the AI security role that didn't exist at your company six months ago.
Let's build.
0
0 comments
Josh Botz
3
Walk into your next security team meeting with something real πŸ‘‡
AI Cloud Security Lab
skool.com/cloud-security-lab
Learn cloud security using AI by building real cloud labs, security programs, and portfolio artifactsβ€”not just studying for certifications.
Cloud Security Lab
YouTube Channel
Leaderboard (30-day)
1
Gary Collins
+13
Powered by