聚焦云安全、基础设施治理与开源工具。最近一大半时间投入在 AI 安全上 — AI for Security,以及 Security for AI。 I work across cloud security, infra governance and open-source tooling. Most of my time these days goes into AI security — both AI 4 Security and Security 4 AI.
↓ 最近的重心 — AI 与安全的两个方向 ↓ Where I'm focused now — two sides of AI & Security
— 大半时间在这两件事中间跑 — most of my time runs between these two
把 AI 当成放大镜 — 帮安全工程师看得更远。 AI as a magnifying glass — help engineers see further.
用大模型做漏洞情报的归类、报告生成,用 agent 跑 recon、做合规审计的初稿。把人从重复劳动里放出来,去做真正需要判断的事。 Using LLMs to triage vuln intel and generate deep-dive reports. Using agents to run recon and draft compliance audits. Free people from repetition so they can do work that actually needs judgment.
AI 系统本身要怎么守 — 这是个新边界。 How do you protect AI systems themselves — a new perimeter.
prompt 注入、模型供应链、agent 工具调用的越权、训练数据投毒。AI 系统是新的攻击面,它的威胁建模和传统应用不太一样。我在做内部 AI 应用的红队 + 防护规范。 Prompt injection, model supply chain, over-privileged agent tool calls, training-data poisoning. AI systems are a new attack surface — their threat models look different from classic apps. I run internal AI red-teaming and write protection guidelines.
⟶ 这两个方向看似对立,其实是同一件事的两面:把 AI 拉进安全工作流,同时把安全工作流拉进 AI。 ⟶ These two look opposite but are the same thing from two sides — pull AI into security workflows, pull security workflows into AI.
— 一些简短的介绍 — a short introduction
我是方锦旭,一名年轻的网络安全工程师。曾在腾讯科技任高级安全工程师,专注云安全产品与流程建设;后加入 NWCD(AWS 中国宁夏区运营商),负责云服务的安全合规建设。现在就职于网商银行,专注基础设施安全治理与安全产品研发。 I'm Jinxu, a security engineer based in Beijing. Senior security engineer at Tencent (cloud security products), then NWCD (AWS China Operator, cloud security & compliance). Now at MYbank, focused on infrastructure security governance and security product R&D.
我研发的安全产品现在仍服务于腾讯云和 NWCD(AWS China)上的云租户。25 岁通过 CISSP,国内较年轻的持证者之一。 Products I built still ship on Tencent Cloud and NWCD (AWS China) today. CISSP at 25 — one of the younger holders in China.
业余在做开源工具 — 神龙漏洞库、ct-radar、写写贴。喜欢写,喜欢骑摩托。 Open source on the side — Shenlong Vuln DB, ct-radar, wpaste. I write, and I ride.
— 最近在做的几件事,多半绕着 AI × 安全 — a few recent things, mostly orbiting AI × Security
持续收集公开漏洞情报,用 LLM 做归类、风险打分、深度分析报告。给安全研究员、SRE 第一时间的威胁动态 — 过滤噪声、留下信号。 Continuously aggregates public vuln intel; LLMs do triage, risk scoring, and deep-dive reports. Real-time threat motion for researchers and SREs — filter noise, keep signal.
证书透明度搜索引擎,已索引 12 亿+ 证书。在子域名发现、资产盘点和 recon 流水线里,替代慢吞吞的传统搜索。 A certificate-transparency search engine — 1.2B+ certs indexed. A drop-in replacement for sluggish CT search in subdomain discovery, asset inventory and recon pipelines.
让 AI 生成的研究、笔记、方案沉淀进个人知识库 — 一次一篇。Agent / CLI 优先,把 AI 输出变成你独有的认知壁垒。 Distill AI-generated research, notes and plans into a private knowledge base — one paste at a time. Agent & CLI-first; turn AI output into your moat.
个人博客 — 安全笔记、AI 文章、读书摘录与日常记录。120+ 篇,断断续续写了 8 年。 Personal blog — security notes, AI essays, book notes and life updates. 120+ posts, eight years on and off.
— 最近在做、在想、在读的事 — what I'm doing, thinking, reading
— 摩托、山野、镜头是另一种笔记 — bikes, mountains, the camera as another notebook
如果你在做相关的事 — AI 安全、云安全、漏洞情报,或者想约一段摩旅 — 欢迎来聊。 If you're working on something related — AI security, cloud security, vuln intel — or want to share a riding route, get in touch.