redteamer.tips | Jean-Francois MaesOffensive security, AI-first development, and strong opinions about spec engineering.https://jfmaes.me/Ralph-NG: Your AI Shouldn't Grade Its Own Homeworkhttps://jfmaes.me/blog/ralph-ng-your-ai-shouldnt-grade-its-own-homework/https://jfmaes.me/blog/ralph-ng-your-ai-shouldnt-grade-its-own-homework/Claude writes the code. Codex reviews it blind. If they disagree, they argue. If they're stuck, a human steps in. Here's how I built it.Thu, 02 Apr 2026 00:00:00 GMTThe Hitchhiker's Guide to LLMs: From 'Hey ChatGPT' to Autonomous Coding Agentshttps://jfmaes.me/blog/the-hitchhikers-guide-to-llms/https://jfmaes.me/blog/the-hitchhikers-guide-to-llms/Everything I know about using LLMs well. Not the hype version. Not the doom version. The practical one.Sat, 28 Mar 2026 00:00:00 GMTCoding Is Dead. Engineering Never Was.https://jfmaes.me/blog/coding-is-dead-engineering-never-was/https://jfmaes.me/blog/coding-is-dead-engineering-never-was/The spec is the product now. Code is a commodity. Here's what that means and what I'm building about it.Mon, 23 Mar 2026 00:00:00 GMTCrossfire: When One LLM Isn't Enoughhttps://jfmaes.me/blog/crossfire-when-one-llm-isnt-enough/https://jfmaes.me/blog/crossfire-when-one-llm-isnt-enough/I built a web app that makes Claude and Codex argue with each other before writing a single line of code. The specs are better. The code is better. Here's how.Wed, 18 Mar 2026 00:00:00 GMTYour CAPTCHA Is Only as Strong as Your Weakest Modelhttps://jfmaes.me/blog/your-captcha-is-only-as-strong-as-your-weakest-model/https://jfmaes.me/blog/your-captcha-is-only-as-strong-as-your-weakest-model/How a math-based Django CAPTCHA fell apart the moment I pointed a vision LLM at it. Tesseract choked. Gemini didn't even blink.Sat, 14 Mar 2026 00:00:00 GMTStop Committing Your Secrets (You Know Who You Are)https://jfmaes.me/blog/stop-committing-your-secrets-you-know-who-you-are/https://jfmaes.me/blog/stop-committing-your-secrets-you-know-who-you-are/Plaintext .env files are a stupid little footgun. Here's the SOPS + age + direnv setup I use to keep secrets encrypted, auto-loaded, and out of Git.Wed, 11 Mar 2026 00:00:00 GMTThe Interception Layer: A Terrible Idea That Might Actually Workhttps://jfmaes.me/blog/the-interception-layer-a-terrible-idea-that-might-actually-work/https://jfmaes.me/blog/the-interception-layer-a-terrible-idea-that-might-actually-work/A middleware architecture for intercepting, anonymizing, and logging all data between autonomous AI agents and frontier LLMs. Ugly, painful to build, but it might solve the data leakage problem.Sun, 01 Mar 2026 00:00:00 GMTYour Autonomous Pentest Agent Might Be the Biggest Vulnerability in Your Networkhttps://jfmaes.me/blog/your-autonomous-pentest-agent-might-be-the-biggest-vulnerability-in-your-network/https://jfmaes.me/blog/your-autonomous-pentest-agent-might-be-the-biggest-vulnerability-in-your-network/AI agents with root access, no NDA, no background check, and no clue where your data ends up. Why autonomous pentest platforms are a compliance and security nightmare.Sat, 28 Feb 2026 00:00:00 GMTI Attempted to Build an Agentic AI... And It Immediately Got Stuck in a Loophttps://jfmaes.me/blog/i-attempted-to-build-an-agentic-ai-and-it-immediately-got-stuck-in-a-loop/https://jfmaes.me/blog/i-attempted-to-build-an-agentic-ai-and-it-immediately-got-stuck-in-a-loop/Part 1 of building a MITRE ATT&CK mapping agent crew — architecture, RAG pipeline, and the first spectacular failures.Tue, 15 Jul 2025 00:00:00 GMTTaming the Beast — Prompt Engineering and Agent Guardrailshttps://jfmaes.me/blog/taming-the-beast-prompt-engineering-and-agent-guardrails/https://jfmaes.me/blog/taming-the-beast-prompt-engineering-and-agent-guardrails/Part 2 of the MITRE ATT&CK agent series — prompt engineering techniques, chain-of-evidence validation, and fixing infinite loops.Tue, 15 Jul 2025 00:00:00 GMTBring Your Own Fix — Mr.D0x inspired variation of yet another "fix" attackhttps://jfmaes.me/blog/bring-your-own-fix/https://jfmaes.me/blog/bring-your-own-fix/A downloadfix PoC using Service Workers to simulate failed downloads and trick users into running a "repair tool" — inspired by Mr.D0x's browser-based fix attacks.Mon, 23 Jun 2025 00:00:00 GMTSorry if it's hard to catch my vibe — Building the Dumbest (Yet Smartest?) C2 in Existencehttps://jfmaes.me/blog/sorry-if-its-hard-to-catch-my-vibe/https://jfmaes.me/blog/sorry-if-its-hard-to-catch-my-vibe/How well can GenAI deal with new trends? Building a minimalist C2 with dynamic LLM-assisted capability generation via MCP.Wed, 30 Apr 2025 00:00:00 GMT%appdata% is a mistake — Introducing Invoke-DLLClonehttps://jfmaes.me/blog/appdata-is-a-mistake-introducing-invoke-dllclone/https://jfmaes.me/blog/appdata-is-a-mistake-introducing-invoke-dllclone/Combining DLL metadata cloning, export table copying, and fake code-signing into a single PowerShell workflow for DLL hijacking operations.Wed, 25 Aug 2021 00:00:00 GMTA pinch of XLL and a splash of Rust has the potential to be a sharp combinationhttps://jfmaes.me/blog/a-pinch-of-xll-and-a-splash-of-rust/https://jfmaes.me/blog/a-pinch-of-xll-and-a-splash-of-rust/Emulating the Buer Loader threat using Rust for reconnaissance and a C# XLL dropper — from zero Rust experience to a working PoC.Thu, 05 Aug 2021 00:00:00 GMTClick your shortcut and... you got pwnedhttps://jfmaes.me/blog/click-your-shortcut-and-you-got-pwned/https://jfmaes.me/blog/click-your-shortcut-and-you-got-pwned/Introducing LnkGen, a GUI tool for crafting malicious LNK shortcut files with bamboozle mode, alternate data streams, and expert options.Wed, 16 Jun 2021 00:00:00 GMTA tale of .NET assemblies, cobalt strike size constraints, and reflectionhttps://jfmaes.me/blog/a-tale-of-net-assemblies-cobalt-strike-size-constraints-and-reflection/https://jfmaes.me/blog/a-tale-of-net-assemblies-cobalt-strike-size-constraints-and-reflection/Exploring how reflection and AppDomain.AssemblyResolve can bypass Cobalt Strike's 1MB execute-assembly limit by loading .NET dependencies at runtime.Mon, 21 Dec 2020 00:00:00 GMT