Vulnerability writeups, threat-actor analyses, conference talks, and the occasional opinion. We publish what we can; the rest stays under NDA. Updated whenever there's something worth saying — not on a schedule.
Discovered during a flagship engagement in Q1. A logic flaw in the session-token signing process allowed an attacker with read access to a single user's cached token to forge valid sessions for arbitrary tenants. Full writeup, PoC, and the detection rule that would have caught us.
A retrospective on twelve emulation engagements against APT29 over the last 18 months. The actor's pivot from on-prem AD to cloud identity is more complete than most public reporting suggests. We cover three TTPs that don't appear in current ATT&CK mappings — and why defenders should care.
The architectural decisions behind Obsidian-3.2. Why we use a critic sub-agent. How we constrained tool use without lobotomizing reasoning. What didn't work — including two months of dead-end work on tree-search planning that we eventually threw out.
Joint research with two other firms (named in the advisory) showed a timing leak in the ECDSA signing path of three widely-deployed HSM products. Vendors notified Day 0; one has patched, two have committed timelines. No weaponized PoC released until all three ship.
We took a sample of 500 large enterprises' externally-visible TLS posture, projected forward against three CRQC timeline scenarios, and ran the math on what's actually at risk. The headline isn't great: by 2032, roughly 78% of in-flight session data we can see today would be retroactively readable under the median scenario.
Composite analysis of four incidents we've observed (three under NDA, one public). The script-flow they use against helpdesks is more rigid than the chaos in their post-access tradecraft suggests. We publish the script anatomy and three detection signals that catch it before the password reset completes.
Slides and talk recording from the FIRST conference in Copenhagen. Joint research with two collaborating SOC teams. The detection content from this talk has been adopted into the public Sigma rules repository — a small but real improvement in baseline coverage.
Three architectures that didn't work, why each one failed, and what we kept from each. Written for engineers building agent-based red-team tooling who want to skip eighteen months of our mistakes.
Found during routine engagement scoping (we use this platform internally). Container escape → host privilege → cross-tenant access in three chained primitives. Vendor responded within 24 hours and shipped the patch 17 days later. Full writeup with the PoC.
FIN7's 2023–2024 hiatus and re-emergence under several apparent sub-brands. We dissect three campaigns observed in retail and hospitality during 2025 and explain why their new affiliate structure makes traditional indicator-based detection brittle.
Three popular SOC-focused browser extensions independently shipped versions that didn't verify the CA chain of their update endpoint. Result: a self-signed cert on a typo-squatted domain would have shipped a malicious update silently. All three vendors patched within 30 days. Advisory + the YARA rule we wrote to detect the historical bad versions.
Common patterns from 47 production LLM application audits between Q3 2024 and Q1 2025. We categorize the failures, rank them by exploitability, and put a stake in the ground about which mitigations actually work versus which ones make the audit report look better without changing outcomes.
One email when we publish. No newsletter, no roundup, no "5 things I learned this week." Quarterly at most. Unsubscribe in one click — the link is at the bottom of every message and we honor it immediately.