Original vulnerability research, threat analysis, and security advisories from our team. We practice responsible disclosure and work with vendors before publishing.
Web application vulnerabilities, API security flaws, and client-side attack vectors.
14 papersCloud misconfigurations, container escapes, and infrastructure attack paths.
11 papersDependency attacks, CI/CD compromise, and build system security analysis.
8 papersImplementation flaws, protocol analysis, and post-quantum cryptography research.
6 papersAn in-depth examination of attack vectors targeting build systems and dependency management, with practical mitigation strategies for development teams. Includes analysis of 15 real-world incidents and a defensive framework.
Examining how attackers exploit GraphQL introspection queries to map application schemas, extract sensitive data, and identify injection points. Includes a detection framework and mitigation playbook.
Analysis of common implementation errors in ML-KEM (Kyber) deployments. We identified timing side-channels in three popular libraries and worked with maintainers on fixes.
We discovered a class of container escape vulnerabilities leveraging eBPF capabilities in default Kubernetes configurations. Three CVEs were assigned. Patches are available for all affected versions.
A systematic analysis of OAuth 2.0 implementations across 8 major SSO providers, revealing state machine inconsistencies that enable authentication bypass and privilege escalation.
We built and deployed an automated system that identified 47 malicious packages on PyPI using typosquatting and dependency confusion techniques. The tool is now open source.
Documented twelve previously unreported IAM privilege escalation paths in AWS, including cross-service chains that bypass standard guardrails. All findings responsibly disclosed.
All vulnerabilities discovered by our team are reported to vendors through coordinated disclosure. We follow a 90-day disclosure timeline and work collaboratively with vendors to ensure patches are available before publication.
If you've found a vulnerability and need guidance on the disclosure process, we're happy to help. Reach out to our team.
Contact our team