7 Minute Security

Hello friends! It's been over a year since we did a dedicated mental health episode, so today I'm doing a big catch-up and running through my 7-point plan for being a more mentally secure me. None of this is professional medical advice (I am most definitely not a doctor or therapist — well, actually, I am in therapy, but that's tip #5), so take what's useful and leave what isn't. Terms and conditions apply.
Here's my current mental health toolkit:
Drink a ton of water — I try to chug a full Yeti thermos before my morning mint hot cocoa, then keep it going throughout the day. I taper off around dinnertime to minimize, uh, nighttime tinkle stops. Science agrees this does good things for your brain.
Brick your phone — I've been using a little Bluetooth device called Brick that hooks into your phone's screen time features so you can block distracting apps on demand or on a schedule. I've got a "Brian Needs Sleepy" timer set for 9 p.m. every night — pretty much everything except the clock app goes dark. Outlook, Gmail, all the socials — gone. It's not revolutionary advice, but it turns out doing what people have been telling you to do for years actually works.
Get enough sleep — Directly related to the Brick. Phone goes dark at 9 p.m., I yap with Mrs. 7 or we watch a show, and by 10:30 p.m. my peepers are drooping. I feel more refreshed and less anxiety-ridden during the day.
Supplements — I'm not here to hawk some magic elixir with 47 mystery ingredients. What I'm currently trying is Nello Supercalm — a powder you mix into water. It's got magnesium glycinate, L-theanine, vitamin D3, and ashwagandha. I thought it was placebo at first, but kept it up for a week and noticed a legit mood/pep boost. Your mileage may vary, but it's doing something for me.
Therapy — I've been in therapy since 2019 when my house burned down (link to those episodes here if you want to get thoroughly bummed out). If I could go back, I'd have started way earlier. The biggest benefit for me isn't some parade of uplifting affirmations — it's having a neutral third party with no stake in my life help me see situations from different angles and cut myself some slack.
Take care of the TMJ — A few years back I started getting tinnitus bad. ENTs were basically like "yep, try not to think about it" — super helpful, guys. Eventually a jaw specialist found an irregularity on the left side of my jaw and fitted me with a heavy-duty custom mouth guard. That alone made a monumental difference in the ear ringing. But I also picked up a TMJ Pen on a chiropractor's recommendation — it's a 3D-printed vibrating/heated massager specifically designed for jaw muscles. Looks exactly like a vape (fun times at the airport), but it's been worth every penny of its ~$200 price tag. Between the mouth guard and the TMJ Pen, I wake up feeling way less like I survived a Saving Private Ryan scene.
Forced fun — After a full work day plus all the dad/house stuff, my go-to is to be a blob on the couch. Nothing wrong with that sometimes. But I've found that the things that actually recharge me — like singing and playing guitar — require a little push to get started. So tip #7 is basically a note to future tired Brian: go downstairs, plug in the guitar, and start playing. You'll be glad you did.
Got mental health tips that work for you? I'd genuinely love to hear them — this is the kind of conversation I want to be two-way. Find me and all things 7MS at 7MinSec.com, our Substack at 7MinSec.club, and our constantly growing pentesting wiki at 7MinSec.wiki.

Hello friends! I've been on a bit of an AI agent journey lately, and today I'm sharing my experience ditching OpenClaw and going all-in on Hermes — a self-hosted AI agent built by Nous Research. A Network Chuck video sold me on it, I wiped my Mac Mini (again), and baby's first Hermes adventure began!
Here's what we get into today:
Why I left OpenClaw — After getting the Mac Mini set up, OpenClaw left me feeling pretty meh: burning through API requests, random mid-conversation shutdowns, and a marketplace where the top listings were flagged as "potentially malicious." Hard pass.
Network Chuck's five reasons Hermes rocks — His video summarized why Hermes stands out: (1) Nous Research has serious open source model cred predating OpenClaw, (2) more flexible persistent memory via markdown files + optional Honcho integration for building a profile of you over time, (3) a mission around humanistic and democratic AI, (4) a self-improvement loop where it writes its own skills after figuring things out, and (5) it just doesn't break — it feels like a product, not a project.
The install — I used Claude to build a Mac Mini install guide from the Network Chuck transcript, and had Hermes up and running in about 15 minutes (one small Ollama hiccup aside). The install wizard lets you choose cloud models like Claude or ChatGPT, or go fully local with something like Gemma — I'm planning a hybrid setup with two Telegram bots.
First real-world use: sitting in a truck running errands — With Hermes running on the Mac Mini and connected via Telegram, I asked it what it could do. It suggested Uptime Kuma for LAN monitoring — weirdly well-timed since I'd just been thinking about flaky IoT devices. I said "go install it," and it did — narrating its own troubleshooting out loud the whole time like a little robot intern.
Remote access and Home Assistant — Had it install Home Assistant for smarthome control too, with plans to wire up TwinGate for remote access (it had a TailScale skill ready to fire in about two seconds, but I'm trying to keep VPN services consolidated).
Daily digest via email — Hooked Hermes into a dedicated Gmail account and set up a 6 a.m. cron job that sends me a personalized morning digest: weather for my watched locations, recent breach/CVE news from select sites, and a summary of my favorite pentesting-focused Mastodon accounts. Needs tuning, but the first digest landed this morning and it's really good!
The privacy angle — The real long-term win I see here is a hybrid model: feed raw, unsanitized pentest data to a local private model, let it analyze and sanitize, then hand off the clean version to a cloud model for deeper insight. Best of both worlds without the data exposure anxiety.
Check out the Network Chuck video that started it all, and as always, if you're doing cool AI + security stuff, I'd love to hear about it. Find our pentesting services and training at 7MinSec.com, pentesting tips and scripts at 7MinSec.wiki, and if you want to support the show, head over to 7MinSec.club.

Hey friends! Backups are not as cool as pentesting, but boy do they matter when things go sideways. This week I'm sharing how a Proxmox backup disk space meltdown led me to a completely overhauled — and honestly pretty bulletproof — backup setup for both home and work. Claude played a big role in helping me sort it all out.
Here's what we get into:
The backup history tour — I've been through CrashPlan, Dropbox, Backblaze (which saved my bacon after my house fire in 2019!), and a mystery one that may or may not have had "Panda" in the name. These days I'm settled on ARQ for personal backups — dead simple, backs up to just about everything (Dropbox, OneDrive, Google Drive, even their own ARQ Cloud for ~$80/year), and all data is encrypted at rest. Not a sponsor, but they should be.
The 3-2-1 rule — I actually asked Siri mid-episode, and she initially thought it was a grounding/anxiety technique. (Valid, I guess?) The real answer: three copies, two different media, one offline. I've got a local copy plus OneDrive, Google Drive, and Dropbox — so I think I'm covered.
The work side: Proxmox + PBS — My "data center" is a beefy Hetzner Proxmox box with about a dozen VMs. I had Proxmox Backup Server (PBS) set up on a secondary Hetzner box, happily cranking away… until it ran out of disk space and started yelling at me every night.
Claude to the rescue — I spun up a Claude project, fed it terminal output and retention configs, and it gave me a straight-up honest assessment: either gut your retention policy (risky) or get more disk. It then walked me through Hetzner's auctions page — which I didn't even know existed — to find a storage-heavy, low-horsepower box. Ended up with two mirrored 8TB drives plus a 14TB drive for around $40/month. Not cheap, but totally worth it as a business expense.
The new setup — PBS is now on its own dedicated Hetzner box. VMs from both my data center and my home NUC Proxmox box back up there nightly. Claude also suggested using that 14TB drive as an SFTP target for ARQ, giving me yet another redundant copy of all my personal data. It'll take a few weeks to fully sync, but I'm running some flavor of the 4-3-2-1 rule now (I made that up).
Proxmox forever — Someone wrote in asking if I'd go back to ESXi now that Broadcom brought back the free version. Hard no. I've fallen in love with Proxmox and I'm not going back.
7MinSec wiki scripts repo — Head over to 7MinSec.wiki and click the Scripts button to find a new GitHub repo where I'm publishing pentesting scripts. First one up: a push-button Exegol installer. More to come — and I'll probably tease new scripts first over at 7MinSec.club on TuesdayTOOLSday!
Have a backup horror story — or a setup you're proud of? Hit us up! And if you need assessments, pentesting, training, or other security goodness, find us at 7MinSec.com.

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back external assessments, so it felt like a good time to talk about it.
Here's what we get into:
Scoping headaches — why the old "count your public IPs and multiply by a big hourly rate" approach drives me crazy, and how we actually scope external tests to be fair to everyone
Web apps in scope or not? — this needs its own conversation before the test starts, and skipping it causes pain later
Testing under real conditions — the debate around whether to request an allowlist vs. scanning as-is, and why I lean toward creating the best testing environment possible
Multi-tool enumeration — why we run Nessus, Project Discovery, and Shodan together, and what each catches that the others miss
Reporting the surface — why just walking a customer through what's exposed to the internet (ports, services, screenshots) has more value than I used to give it credit for
SNMP and NTP findings — two protocols that keep showing up open when they really (probably) shouldn't be
OSINT phase — how we've grown externals to include open-source intelligence work on the customer's domains, not just IP-level scanning
WordPress hygiene — it keeps coming up on these assessments, and I've got some practical recommendations
Dorking and metadata searches — using AI to quickly sift through publicly exposed documents for things attackers could use to pretext a social engineering attack
Subdomain hijacking — a sneaky attack path I've seen in the wild that flies right in the face of all the "check if the URL is spelled right" advice we give users
Even when the technical findings are pretty quiet, there's a lot you can do to punch up an external pentest report with stuff that's genuinely valuable to customers!

Hello friends! Today's a hybrid episode — some security content up top about a new certification I've kicked off, followed by an aggressively quick trip to Tangent Town. Feel free to bail after the security stuff if tangents aren't your thing!
The security part: starting CARTP
I've started the Certified Azure Red Team Professional course from Altered Security (enterprisesecurity.io). It's the Azure follow-up to CRTP, which I took a few years back. Quick notes:
Why now: Active Directory and internal pentests will always be my first love, but more and more of our customers are shifting to hybrid or full-Azure environments. Time to get some formal training in that lane.
Self-paced vs. live: They offer both. I'm past the point of giving up Saturdays to security training, so I went with the ~$500 self-paced 30-day option. You get a portal, a lab manual, and a remote Windows VM with low-priv creds into a target Azure tenancy to attack and enumerate.
The catch: The lab manual is thorough on "do this, see this output" steps, but light on "and here's the wow moment hiding in line 47 of the output." With the live class, an instructor would highlight that stuff in real time. In the self-paced version, you're on your own to find the meaning in 200 lines of output.
The fix: Started a Claude project that's effectively co-teaching the class with me. I paste command output and ask "what's the important bit here?" — Claude pulls out the line that matters and explains why (e.g., "this user has write access to a key vault, which means…"). Way more efficient than ALT-TABbing alone.
Tools I've touched so far: ROADtools, GraphRunner, and Monkey365 (kind of a PingCastle-for-Azure that spits out a health-check report).
Where I'm at: Module 4 of 40-something. Course culminates in a 24-hour exam, which I swore I'd never do again after CRTP — but James Bond and Justin Bieber both say "Never say never."
Tangent Town:
The Shake Shack incident. It's gross and not funny. But kind of funny.
Saw (and sort of met) Calum Scott at the Fillmore in Minneapolis. Standing-room-only venue, but my wife found a clutch spot wedged between a security barrier and a support beam, perfect for our family. During an acoustic set, Calum and his band came right past us. My wife (unable to help herself) gave his shoulder a squeezy squeeze. I held out for the fist bump on his return trip to the stage — and we're basically best friends now. I highly recommend his show: very positive guy, family-friendly, genuine.
Seven super-fast non-spoilery movie reviews from plane rides and hotel nights: Coherence — for smart people. I am not those people. Probably great if you can follow it.
Deadstream (Netflix) — YouTuber live-streams a night in a haunted house. Surprisingly entertaining, a couple of real jump-scares.
Get Away — a family vacations on a forbidden island. Goes somewhere unexpected in the third act.
Hell House LLC — found-footage haunted house. A couple of genuine flinches; story was just OK.
Hokum — Adam Scott as a writer at a hotel with a personal history. Creepy-crawly, goes to some dark places. Loved it.
Predator: Badlands — went in expecting mind-numbing action, but I loved it! I'd give it an 8 or 9 out of 10. It had action, LOLs, and even some tender Predator moments. Going to watch it again soon.
Obsession — young man buys a wish-granting trinket so a young lady will like him. It works. Then it really works. The movie slowly goes into full-on bonkers sauce mode! Satisfying but uncomfortable to watch at parts.

That's it! 7MinSec.com for services, 7MinSec.club for the Substack, 7MinSec.wiki for pentest tips and scripts.