Stop LLMs from brute forcing (guessing) APIs
Self-describing API responses for agents, but REST + Problem Details already solve this partially.
Hardware-enclave PIN security without the hardware: the key is split between the user's PIN and a rate-throttled key server, eliminating offline brute-force — wrong guesses hit a lifetime cap, like a TPM. Vanilla JS client + tiny PHP server.
TPM-like lifetime attempt caps in ~360 lines of vanilla JS and PHP.
Security engineers, app developers handling sensitive data
WebAuthn · YubiKey · 1Password
Self-describing API responses for agents, but REST + Problem Details already solve this partially.
/24 subnet brute-force detection is a specific security feature WHM lacks.
AES-256-GCM with key in URL fragment—clever crypto choice, but Teleport and 1Password Vaults already exist.
The core trick is simple and effective: let an agent iterate questions against a defined domain overnight and surface hundreds of candidly-annotated ideas you can scan through later. It nails the “fire-and-forget” idea dump and domain steering (tell it to focus on agencies or cybersecurity and it pivots), but it’s still essentially a convenience wrapper around an existing agent pattern — useful for volume and pattern recognition, less convincing on long-term validation or downstream filtering.
Encrypted spreadsheet for secrets with per-cell masking—but 1Password and Bitwarden do this.
FortiGate honeypot with counter-intel credential tracking and VT/OTX reporting.