🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

I'm so proud of shubs and Michael Gianarakis for making this journey possible. Without them at the helm, none of this would have happened. Congrats to the team and best of luck keeping the dream alive

It feels like only yesterday meeting with shubs at his apartment in Brisbane and riffing on the core ideas that would become Assetnote . I still remember the moment when we coined the phrase “attack surface management” back in 2018. To go from that point to seeing that

How do hackers and security researchers enumerate resources inside AWS accounts? With awesome wordlists, that's how. Wordlists are at the heart of Awseye, which is an OSINT tool that has found almost 3.2 million AWS resources. Making good wordlists is surprisingly hard.

This is a great infoleak exploit chain targeting YouTube by skull. Love the use of a DoS flaw to make the attack stealthier! brutecat.com/articles/leaki…

.Assetnote, now a Searchlight Cyber company, has published the discovery of a new critical vulnerability in the Palo Alto Networks management interface, PAN-OS. slcyber.io/blog/nginx-apa…

When researching Palo Alto PAN-OS, Assetnote's Security Research team discovered an authentication bypass due to flaws in its architecture. Our team digs a lot deeper than surface-level CVEs; this research is an example. slcyber.io/blog/nginx-apa…

Writing a technical book is only a small fraction of the work. You still need: 1. Technical review 2. General editing 3. Copy editing 4. Cover designing 5. Proof reading <— I am here “From Day Zero to Zero Day” is a way better book thanks to the amazing team at No Starch Press and I

Good news! I've uploaded a new post about the most complex and beautiful vulnerability I've ever found, involving patching and uploading deprecated .jar libraries to get RCE on a big target. It's a very technical post, but I hope you like it ! :) hacefresko.com/posts/rce-on-s…

Depi is breaking barriers in Software Supply Chain Security. We expose hidden vulnerabilities before they become breaches, no passive defense here. Get ready to disrupt the norm 🤟

Really enjoyed reading about the temporary file upload trick to load an arbitrary SQLite extension in this deserialization gadget for Rails: elttam.com/blog/rails-sql…

The security research team at Assetnote reported a critical pre-auth RCE vulnerability affecting Sitecore XP 10.4 late last year. We continue to protect our customers from 0day vulnerabilities long before patches arrive. Read the blog here: slcyber.io/blog/sitecore-…

Are you in Australia and want to work as a security researcher full time, remotely? Want to work with extremely passionate and capable security researchers? Come work with me, and apply for our Security Researcher role at Searchlight Cyber: searchlight.bamboohr.com/careers/187

Why hack one device, when you can hack a million of them? My latest blogpost based on my NULLCON talk explores hacking smart weighing machines and health devices by hijacking their user-device association flows. spaceraccoon.dev/pwning-million…

We recently looked deeper at the authentication bypass vulnerability in Next.js (CVE-2025-29927) and discovered some intelligent and comprehensive ways to check for the vulnerability. Read more in our blog post: slcyber.io/assetnote-secu…

The article is out ! 🤟 Title: We hacked Google’s A.I Gemini and leaked its source code (at least some part) We worked on this with Justin Gardner and I'm so excited this is finally out ;) Link in the thread 🧵

IT support software is often exposed on the ext. internet. Auditing the code of Halo ITSM, we found a sink that led to a critical pre-authentication SQLi. We reflect on how loose typing led to this vuln when compared to the rest of the codebase. Read more: slcyber.io/assetnote-secu…