Hello friends! I've been on a bit of an AI agent journey lately, and today I'm sharing my experience ditching OpenClaw and going all-in on Hermes — a self-hosted AI agent built by Nous Research. A Network Chuck video sold me on it, I wiped my Mac Mini (again), and baby's first Hermes adventure began!

Here's what we get into today:

• Why I left OpenClaw — After getting the Mac Mini set up, OpenClaw left me feeling pretty meh: burning through API requests, random mid-conversation shutdowns, and a marketplace where the top listings were flagged as "potentially malicious." Hard pass.
• Network Chuck's five reasons Hermes rocks — His video summarized why Hermes stands out: (1) Nous Research has serious open source model cred predating OpenClaw, (2) more flexible persistent memory via markdown files + optional Honcho integration for building a profile of you over time, (3) a mission around humanistic and democratic AI, (4) a self-improvement loop where it writes its own skills after figuring things out, and (5) it just doesn't break — it feels like a product, not a project.
• The install — I used Claude to build a Mac Mini install guide from the Network Chuck transcript, and had Hermes up and running in about 15 minutes (one small Ollama hiccup aside). The install wizard lets you choose cloud models like Claude or ChatGPT, or go fully local with something like Gemma — I'm planning a hybrid setup with two Telegram bots.
• First real-world use: sitting in a truck running errands — With Hermes running on the Mac Mini and connected via Telegram, I asked it what it could do. It suggested Uptime Kuma for LAN monitoring — weirdly well-timed since I'd just been thinking about flaky IoT devices. I said "go install it," and it did — narrating its own troubleshooting out loud the whole time like a little robot intern.
• Remote access and Home Assistant — Had it install Home Assistant for smarthome control too, with plans to wire up TwinGate for remote access (it had a TailScale skill ready to fire in about two seconds, but I'm trying to keep VPN services consolidated).
• Daily digest via email — Hooked Hermes into a dedicated Gmail account and set up a 6 a.m. cron job that sends me a personalized morning digest: weather for my watched locations, recent breach/CVE news from select sites, and a summary of my favorite pentesting-focused Mastodon accounts. Needs tuning, but the first digest landed this morning and it's really good!
• The privacy angle — The real long-term win I see here is a hybrid model: feed raw, unsanitized pentest data to a local private model, let it analyze and sanitize, then hand off the clean version to a cloud model for deeper insight. Best of both worlds without the data exposure anxiety.

Check out the Network Chuck video that started it all, and as always, if you're doing cool AI + security stuff, I'd love to hear about it. Find our pentesting services and training at 7MinSec.com, pentesting tips and scripts at 7MinSec.wiki, and if you want to support the show, head over to 7MinSec.club.

Hey friends! Backups are not as cool as pentesting, but boy do they matter when things go sideways. This week I'm sharing how a Proxmox backup disk space meltdown led me to a completely overhauled — and honestly pretty bulletproof — backup setup for both home and work. Claude played a big role in helping me sort it all out.

Here's what we get into:

• The backup history tour — I've been through CrashPlan, Dropbox, Backblaze (which saved my bacon after my house fire in 2019!), and a mystery one that may or may not have had "Panda" in the name. These days I'm settled on ARQ for personal backups — dead simple, backs up to just about everything (Dropbox, OneDrive, Google Drive, even their own ARQ Cloud for ~$80/year), and all data is encrypted at rest. Not a sponsor, but they should be.
• The 3-2-1 rule — I actually asked Siri mid-episode, and she initially thought it was a grounding/anxiety technique. (Valid, I guess?) The real answer: three copies, two different media, one offline. I've got a local copy plus OneDrive, Google Drive, and Dropbox — so I think I'm covered.
• The work side: Proxmox + PBS — My "data center" is a beefy Hetzner Proxmox box with about a dozen VMs. I had Proxmox Backup Server (PBS) set up on a secondary Hetzner box, happily cranking away… until it ran out of disk space and started yelling at me every night.
• Claude to the rescue — I spun up a Claude project, fed it terminal output and retention configs, and it gave me a straight-up honest assessment: either gut your retention policy (risky) or get more disk. It then walked me through Hetzner's auctions page — which I didn't even know existed — to find a storage-heavy, low-horsepower box. Ended up with two mirrored 8TB drives plus a 14TB drive for around $40/month. Not cheap, but totally worth it as a business expense.
• The new setup — PBS is now on its own dedicated Hetzner box. VMs from both my data center and my home NUC Proxmox box back up there nightly. Claude also suggested using that 14TB drive as an SFTP target for ARQ, giving me yet another redundant copy of all my personal data. It'll take a few weeks to fully sync, but I'm running some flavor of the 4-3-2-1 rule now (I made that up).
• Proxmox forever — Someone wrote in asking if I'd go back to ESXi now that Broadcom brought back the free version. Hard no. I've fallen in love with Proxmox and I'm not going back.
• 7MinSec wiki scripts repo — Head over to 7MinSec.wiki and click the Scripts button to find a new GitHub repo where I'm publishing pentesting scripts. First one up: a push-button Exegol installer. More to come — and I'll probably tease new scripts first over at 7MinSec.club on TuesdayTOOLSday!

Have a backup horror story — or a setup you're proud of? Hit us up! And if you need assessments, pentesting, training, or other security goodness, find us at 7MinSec.com.

Hey friends! Today we're going deep on external network pentesting — something I realize we've barely touched in however many episodes we've done. I'm currently in a long stretch of back-to-back external assessments, so it felt like a good time to talk about it.

Here's what we get into:

• Scoping headaches — why the old "count your public IPs and multiply by a big hourly rate" approach drives me crazy, and how we actually scope external tests to be fair to everyone
• Web apps in scope or not? — this needs its own conversation before the test starts, and skipping it causes pain later
• Testing under real conditions — the debate around whether to request an allowlist vs. scanning as-is, and why I lean toward creating the best testing environment possible
• Multi-tool enumeration — why we run Nessus, Project Discovery, and Shodan together, and what each catches that the others miss
• Reporting the surface — why just walking a customer through what's exposed to the internet (ports, services, screenshots) has more value than I used to give it credit for
• SNMP and NTP findings — two protocols that keep showing up open when they really (probably) shouldn't be
• OSINT phase — how we've grown externals to include open-source intelligence work on the customer's domains, not just IP-level scanning
• WordPress hygiene — it keeps coming up on these assessments, and I've got some practical recommendations
• Dorking and metadata searches — using AI to quickly sift through publicly exposed documents for things attackers could use to pretext a social engineering attack
• Subdomain hijacking — a sneaky attack path I've seen in the wild that flies right in the face of all the "check if the URL is spelled right" advice we give users

Even when the technical findings are pretty quiet, there's a lot you can do to punch up an external pentest report with stuff that's genuinely valuable to customers!