A SYSTEM background service silently applies any configuration package it finds in a folder on disk — with no signature check, no consent prompt, and (unlike the known double-click vector) no user interaction at all — contradicting Microsoft's own documented model. The honest catch: on a normal PC it is administrator→SYSTEM, and the story of how a symbol's name fooled the analysis into believing otherwise is half the post.

Anyone can now point an AI at software and find zero-days of known kinds — that capability is spreading fast. This is a report on building an AI for the part no automatic oracle can score: autonomously reverse-engineering undocumented Windows internals to invent attack techniques and bug classes nobody has named, and chaining small footholds into an attack that exists in none of its parts. How it borrows ways of discovering the genuinely new from fields far outside security, doubts its own conclusions, keeps a record that cannot rewrite a guess into a fact, and runs unattended for hours without fooling itself. With what already works, what is still hard, and what comes next.

How the same AI analysis workflow that found a zero-day in strongSwan discovered a 9-year-old heap buffer overflow in BusyBox's DHCPv6 client — plus a full walkthrough of the proof-of-concept development process.

A detailed walkthrough of implementing the DEF CON 31 NoFilter WFP technique as an OPSEC-hardened Havoc C2 BOF, including indirect syscalls, return address spoofing, patchless AMSI/ETW bypass, and lessons learned from Havoc BOF development.

How I discovered CVE-2026-25075 — a vulnerability that had been quietly sitting in strongSwan's codebase since 2011 — using a structured, multi-pass AI analysis workflow.