Alex Matrosov

⛓️Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem. It appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates.

@chompie1337 @seanhn Not creative ones, or novel attack vectors specifically on compiled code. But more generally, things are evolving so quickly that 12 months ago I would have argued for even mid-level potential.

@seanhn That all to say, I believe a system could be built that is equivalent to a bordering on mid level researcher. I haven’t seen novel, creative exploit primitives built by an agent yet.

Using CC/Codex in interactive sessions has given me more empathy for scepticism about their use in hard exploit dev scenarios. You are working with a fundamentally diff category of system when you treat agents as a primitive for building search algorithms versus interactive tools

@julianor I suspect AI triage of SCA results without supporting evidence will have the same effect 🍿

Bug bounty programs are collapsing under AI slop. Assessment reports are full of perfectly written false positives nobody reads. Rethink the infosec deliverable. A few things:

@AndrewMohawk @Tenzai_Labs I always find these claims interesting coming from a company that hasn’t publicly disclosed a single CVE and is trying to build credibility on CTF scores.

This article really feels like @Tenzai_Labs paid for it, it doesnt describe/note the CTFs, has "elite, nation-grade offensive capabilities", no stats on anything, not even a link to the research that makes them have to justify these claims?

Get insights into your software supply chain, now free and open source. SBOMs are a powerful type of report. If you generate them, make sure you’re collecting and monitoring them at scale.

Shipping a secure open-source project isn’t easy, especially with today’s software supply chain complexity. So I wanted to zoom in and break down what it actually takes (in my case, a Rust project) to ship releases with confidence. I’ve been building @sbom_tools, and just wrapped up a sprint to harden the entire release pipeline. Here’s what the supply chain security posture looks like now: Release Pipeline (fully automated): - Trusted Publishing (OIDC) to , zero long-lived API tokens - SLSA Build Level 3 provenance attached to every GitHub Release - SSH-signed tags with tag immutability enforced at the org level - Tag-to-Cargo.toml version verification + main branch ancestry check CI/CD Security Layers: - 10-job CI gate: clippy, rustfmt, MSRV check, 4-platform test matrix, cargo-deny (licenses + bans + advisories), cargo-audit - CodeQL (Rust native SAST) on every push and PR - 6 fuzz targets covering all SBOM parser entry points - OpenSSF Scorecard running weekly with SARIF integration - All GitHub Actions SHA-pinned, permissions: read-only. Current @OpenSSF Scorecard: 7.5/10 (expecting ~9+ after score recalculation from the latest updates). This is the kind of effort every OSS maintainer should take on, owning your supply chain reduces the risk of putting users in danger.

Modern software supply chains have gotten wildly complex, and OSS projects are no exception. I’ve been using GitNexus to build a knowledge graph over the @sbom_tools repo, and it’s beautiful, but also kind of terrifying how much code I’ve been cranking out lately with my buddy @claudeai. github.com/abhigyanpatwar…

Most folks treat SBOMs like checkbox compliance. But for enterprises, it’s often the only visibility into vendor dependencies. We upgraded SBOM.Tools quality checks to stop rewarding missing data and to surface stub SBOMs. Check it out and give us feedback.

I think the core issue is that LLMs don’t have a priori knowledge of your threat model, so they must perform additional reasoning over the codebase to compensate. Because codebases are dynamic and often large, this reasoning becomes increasingly expensive in terms of tokens. Another challenge is that SAST reports typically provide very limited root-cause evidence. As a result, the LLM has to spend even more tokens digging deeper to validate and understand the findings. My main point is that layering LLMs on top of SAST is not a scalable approach, it quickly becomes cost-prohibitive.

@matrosov @daveaitel While this is true, a different approach that worked well in my experiments was to let LLMs, which understand the threat model, run the SAST tools and then begin the assessment based on those results.

openai.com/index/why-code… a Monday morning blogpost for your perusal and enjoyment !

Nice blog! This hits a real pain point with current SAST tooling. Most of it just runs a bunch of generic checks without understanding the actual threat model or where the real security boundaries are. That lack of semantic context is exactly the issue, I’ve been arguing for a while that detection logic needs to be context-aware, and trying to bolt that on manually with rules just doesn’t scale. This is a very natural place for LLMs to add value. With AI accelerating code production, we also need to move beyond the simple rubric of “bug exists -> reachable -> fix it.” That model breaks down at scale (reachable != exploitable). What’s missing is deeper context around exploitability, and how real is the risk, what’s the blast radius, and what actually matters to fix first. That’s the layer that will drive meaningful prioritization. Also, using LLMs purely for triaging SAST findings after the fact gets expensive very quickly at scale. It’s the easiest path, so a lot of tools go there now, but without deeper integration into the analysis pipeline, it’s a pretty inefficient approach.

🪄✨Announcing sbom-tools v0.1.16 — open-source SBOM analysis that helps you spot supply chain gaps faster. This release adds broader CycloneDX/SPDX + VEX support, OSV/CISA KEV enrichment, semantic diffing, quality scoring, and compliance checks. Try it: github.com/sbom-tool/sbom…

@seanhn Nice analogy, you gave me a good laugh :-) Most SAST solutions are a sloppy legacy, ages behind the progress in the field. Feeding LLMs reports packed with CVEs, no real evidence, and mostly noise is useless by design.

"Why don't LLMs start from SAST findings?" ... well, for the same reason we don't mount car chassis on a horse.

@qkaiser It represents over five years of dedication, innovation, and problem-solving in response to the many challenges we encountered throughout this journey. It is a true masterpiece brought to life by the entire team.

Spent the evening digging through the code. The engineering behind this is 🤌 deeply complex, yet full of elegant, high-leverage tricks to keep it fast. If you work on similar problems, there’s a lot here to learn from.

@pr0me Lukas, great stuff as always! I’m looking forward to the second blog, and the code has already aged quite a bit ;-)

@matrosov this is indeed an extension of our blog post, good point sharing it again, Alex, thanks :)

This is a very interesting piece of research by the team on algorithmic methods for effective complex type recovery. Practical type inference is a challenging problem the industry has been grappling with for years. paper: arxiv.org/abs/2603.08225 blog: binarly.io/blog/type-infe…

@nitzanfarhi The primary issue with IDA is its asynchronous processing (API limitations). I'm personally eager to see an official Rust API from @HexRaysSA.

@nitzanfarhi Yes, it definitely will. Work is already underway.

The dream of a fast and reliable binary analysis framework is now a reality. Today, we’re open sourcing VulHunt.RE 🎉 code: github.com/vulhunt-re/vul… docs: vulhunt.re/docs A huge kudos to the entire REsearch team!

@dcuthbert @REverseConf good idea!

@matrosov @REverseConf Ooof I like this!! Raptor addition???

This year at @REverseConf, we’re dropping something special, a project we’ve been heads-down on for a while that boosts semantic-level binary detection with reachability + taint analysis. Like CodeQL/Semgrep, but for binaries. VulHunt use cases: Vuln REsearch: binarly.io/blog/vulnerabi… Detection Eng: binarly.io/blog/vulhunt-i… VH Intro: binarly.io/blog/vulhunt-i…

Since we ❤️ Binary Ninja and @Vector35, we collaborated to bring support for using VulHunt and Binary Ninja together: #binary-ninja" target="_blank" rel="nofollow noopener">vulhunt.re/docs/user-guid…