The Lastest From Our Team

  • Penetration Testing
  • C-Level

Pentesting in a Changing World - Where Do We Go from Here?

To put it mildly, cybersecurity has never been more critical. As the world has become more connected and the people in it have become more technologically literate, businesses across the globe are facing more security threats than ever before.

Into the current challenging global environment, neither traditional pentesting solutions nor bug bounties are perfect methods of testing an organization's cybersecurity posture. While both bring unique benefits, they also get bogged down by practical, financial, and functional problems that neither can fix.

Other articles

  • API / Misconfiguration
  • Google Maps

A Pentester Story - How to Increase the Impact of an Underrated Issue

Google Maps API Key is a paid service that allows applications to embed & search from the Google Maps Database and use it on their applications. To consume those Google services, the organizations need to use an API key that is often found missing implementing proper security boundaries, leading to an unexpected financial damage.

  • Compliance
  • SOC2 Type 2

SOC2 Type 2 Compliant - The Good, The Bad, The Ugly

Let's draw a line in the sand and say it, AUDIT != SECURITY. A company meeting a strong compliance does not make it necessarily bulletproof against cyberattacks. Compliance relies on a solid set of standards, while security is an active practice of defending from cyber attacks.

  • AppSec / Java
  • CVE-2021-44228

Java Log4j Vulnerability (CVE-2021-44228)- Keep Your Head Cool

Java Log4j vulnerability proved one of the most severe security flows in years. Six hours later, after the initial Proof-of-Concept was published, the situation escalated quickly. The exploit was already reported to be weaponized and used at scale.

  • GANs / NLP
  • Social Engineering

Generative Adversarial Networks (GANs)-#EnemyUnknown

GANs emerged as a cutting-edge technology around six years ago. Using them showed that there is an endless possibility of generating realistic fake photos. In this blog I am describing my experience dealing with an unexpected situation while using a social media platform.

  • Security Engineering
  • OSINT

PDF Documents Metadata and Practical Examples of How to Handle It

In this blog post we explore and detail a couple of straightforward technical solutions that any business can consider during the process of limiting information exposure through its public documents metadata fields.

  • Security Engineering
  • C-Level

Pentesting is Just the Beginning

Security Engineering skill set gap has created a substantial market for contract-based pentesting - a gig-style, one-and-done arrangement driven by global freelancing and bug bounty platforms.

  • Offensive Security Testing
  • C-Level

Standard Pentest vs. Adversarial Simulation

Supposing you are a C-Level executive, CISO role, or holding a similar position, within this article, we tried detailing a few hints about what a mature security vendor should provide to you as part of an engagement journey.

  • CRM
  • Information Disclosure

Probing Oracle Eloqua CRM for Sensitive Information Exposure

Jon Lu discloses his steps to trigger a Sensitive Information Exposure issue by starting to analyze a couple of analytic tracking ids and then investigate further a low impact security misconfiguration.

  • Browser
  • Extensions

Microsoft Edge and the new attack surface

We narrow down an introspective into Microsoft's stunning move of launching its new Edge browser to millions of Microsoft Windows 10 users via windows update. Microsoft's new Edge browser is based on the Chromium engine, which is the same as the leading competitor browser, Chrome.

Security Hubs - June 15, 2020
  • Fuzzing
  • Tutorials and articles

Introduction to Fuzzing JavaScriptCore on MacOS with AFL++

In this whitepaper, we'll focus on setting up a fuzzing environment on macOS 10.15.7.

  • Server Message Block(SMB)
  • Tutorials and Articles

Fuzzing Server Message Block (SMB) on macOS with Mutiny Fuzzing Framework

In this blog post, we will focus on setting up a fuzzing environment on Ubuntu 20.04.1 LTS and use macOS 10.15.7 as a target, and we will set up everything manually without the usage of The Decept Proxy.

  • Mobile Security Testing
  • iOS

Bypassing common Jailbreak detection mechanisms - Part I

For the task ahead, we are going to use a jailbroken iPhone running iOS 14.3 (the latest version as of writing), Hopper Disassembler for reverse-engineering the application and Frida (dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers).

  • Mobile Security Testing
  • iOS

Bypassing common Jailbreak detection mechanisms - Part II

Writing a jailbreak detection bypass script using Frida. Like we did with the previous one, we will try to describe a complete process of inspecting the application and writing scripts from the ground up to evading a jailbreak detection.

Ready or just curious?

Drop us a line and we will get back to you shortly.