AI is starting to find real vulnerabilities on its own. But every time it runs without a human in the loop, things go sideways. The future of security research is human-guided AI, not AI alone.

We’re on a journey to advance and democratize artificial intelligence through open source and open science.

One zero-byte QUIC packet is enough to desynchronize HAProxy’s backend connection pool and smuggle HTTP requests across unrelated users — even users on a completely different frontend protocol.

A technical teardown of the RedSun zero-day — the second Defender escalation in two weeks from the same researcher — grounded in the actual source code.

Two phase intrusion: RDP brute force, privacy.sexy defense kill, Cobalt Strike, SoftPerfect Network Scanner, custom Rust exfiltration tool across 6,900+ Cloudflare IPs, personalized ransom notes addressed by name to every employee. Full negotiation chats…

The most important line in CVE-2026-33825's hundred-kilobyte proof of concept is two comment characters. A line-by-line walk of FunnyApp.cpp — the batch oplock, the object namespace redirect, the Cloud Files freeze, and what the author chose not to ship.

The third zero-day from the same researcher makes Defender permanently blind from a standard user account — no elevation required. A line-by-line walk of UnDefend.cpp, and the one mechanism that didn't ship.

This is the second in a series of posts about anonymous credentials. You can find this first part here. In the previous post, we introduced the notion of anonymous credentials as a technique that a…

AI is changing how vulnerabilities are found, not how they’re fixed. Defenders need a new approach: shrinking the attack surface before vulnerabilities exist.

Turning "cat readme.txt" into arbitrary code execution in iTerm2.

Bright Data's residential proxy SDK ships a public partner manifest listing the publishers it relays traffic through. CTV distributors reaching Comcast, Sky, LG, Samsung, Roku, and 125+ other TV brands are on the list. The SDK's 200 GB/month bandwidth budget…

How I went from dismissing TPM as a Windows 11 annoyance to using it as a hardware trust anchor for CodSpeed's bare-metal runners.

A prototype pollution attack in Adobe Acrobat ≤26.001.21367 makes every object in the JavaScript engine report that it's trusted. The PoC on GitHub isn't a scanner. It's a cross-platform, lure-merged, environment-keyed, campaign-tracked PDF weaponizer that…

A high frequency gravitational wave generator including a gas filled shell with an outer shell surface, microwave emitters, sound generators, and acoustic vibration resonant gas-filled cavities. The outer shell surface is electrically charged and vibrated…

Discord does not have read receipts by design. However, a bug in the OG image proxy reveals not only when a message was viewed, but also how often and for how long.

Have you ever wondered how those amazing space photos are taken? Are they exclusive to the big telescopes floating in space or can you take one from your backyard? What does it take to extract hydrogen colors out of a seemingly black sky?

By Eldor Zufarov, Founder of Auditor Core Based on the CSA/SANS document "The AI Vulnerability...

The Vercel breach shows how OAuth and AI integrations create hidden SaaS risk. Learn how access abuse, shadow AI, and identity threats are reshaping modern secu

I paid for all 65535 ports. I use all 65535 ports. And yes, a LLM is involved.

In april 13th 2026, online travel agency booking.com issued a major notification that echoed back to 2021. There was unauthorized access to…