Shockwave - External Attack Surface Management.

2024 was incredible – grateful for everyone who made it special! 🙌 💰 $2,000,000 all-time bounties on @Hacker0x01 💸 2 Mega bounties on @Bugcrowd – $80,000 & $125,000 🏆 Live Hacking Event Awards from Miami, Seattle, Paris, Gdansk, Las Vegas, and Edinburgh 📈 Back to full-time at @wiz_io in an exciting role after scaling my startup @shockwave_sec 🌍 40 flights and millions in miles – fortunate enough to fly first class with @lufthansa ,@emirates & @SingaporeAir Looking ahead… Shifting focus from bug bounty to deeper security & cloud risk research, I found some incredible bugs recently that I can’t wait to share with the community. There’s a lot more to come! 🙂

Excited to share some big personal news today, I have joined @wiz_io to enhance their Risk & Threat Exposure Management and build a new disruptive Risk MDR offering. It's been quite a ride working on @shockwave_sec for the past couple of years as a solopreneur and as a bootstrap company in a crowded Attack Surface Management space, yet to deliver immense value to our customers and partners. I'm pretty proud of our achievements - dozens of clients, 6 digits ARR and hundreds of critical issues identified and mitigated at industry-leading pace. Wiz is the perfect place to execute my original mission that started with Bug Bounties and shockwave.cloud by scaling to a massive audience and deliver Invaluable impact globally. Thrilled to get started and looking forward to what's to come : )

Scan, Detect and work on mitigation within any of the Polyfill[.]io backdoor leftovers across your externally Attack Surface in a matter of 2 clicks. We're thrilled that our product makes it as-simple as it gets to do these actions, and offer assistance in our website. #ASM

The Polyfill[.]io backdoor is wild! from what I read all over on Twitter the person who was in charge of the domain sold it to rogue actors back in February and ever since it served as backdoor to hundreds of thousands major websites that had it referenced within a script tag, pretty insane universal XSS with real-world impact. I've created Nuclei Template to detect the existence of the script, please note that its already fixed (@Namecheap nuked the domain) so the backdoor is no longer a threat, but still good to know and remove the reference. Nuclei Template: github.com/NagliNagli/Sho… LinkedIn with a little more details: linkedin.com/feed/update/ur…

Just got awarded the prestigious P1 Warrior Belt by @Bugcrowd for submitting over 100 valid critical submissions to companies on their platform, manually and using shockwave.cloud automation engine. Among the companies that I worked with to remediate critical, exploitable vulnerabilities are @OpenAI, @Tesla, @TMobile, @Atlassian and many more. Thankful for the opportunities and excited for what the future holds! #BugBounty

@samwcyo @snyff We heard the ones who didn’t have a booth do stuff differently 👀

@snyff Reporting back: there were around 200 vendors all selling the exact same ASM product. Lots of schmoozing. The marketing suggests we must rally the troops for the upcoming AI cyber war. OpenSSL is becoming a for-profit corporation. Those are all my notes.

I'm unfortunately missing RSA this year (as always), please hit me with your best vendor cringe!

Working on @shockwave_sec in my Self Driving Waymo around RSA with @iangcarroll and @samwcyo - we have fantastic driver on board 🤖🚕

We’re excited to be around @RSAsecurity and @BSidesSF next week! ✈️ At Shockwave, we're open to explore partnerships in the Attack Surface & Threat Exposure Management space, Vendors / Companies - Let’s catch up on-site! 🤝 BTW, New feature alert 🚨: shockwave.cloud/use-cases/saas…

CVE-2024-29059 describes a .NET Remote Code Execution vulnerability, we have created nuclei template and were able to identify vulnerable BBP programs with @ctbbpodcast, check out below 👇 shockwave.cloud/blog/shockwave…

Excited to launch shockwave.cloud's ⚡ new website & branding today, we've come a long way beyond traditional Attack Surface solutions with our Continuous Threat Exposure Management platform. Learn more on our website 👇 #CTEM #ASM #BugBounty

👀 Alert with Externally Facing Valid POC -> Remediation -> Retest, that's how its done. Our Attack Surface & Threat Exposure modules are continuously evolving, exciting features are on their way. #CTEM #BugBounty

Had a blast this week hacking on @Bugcrowd's @TMobile BugBash, we have scooped $80,000 bounty over one submission, crazy web & mobile findings and even an Apple Vision Pro Show & Tell. Kudos to the folks @samwcyo @iangcarroll @d0nutptr and everyone who helped running the event!

Super Stoked to win the Eradicator award and scoop $24,170 together with @hacker_ @m0chan98 by finding a critical vulnerability on-site at @Hacker0x01's Miami Beach Live Hacking Event targeting @CapitalOne 🌴 A Perfect way to wrap up a Fantastic event! #BugBounty #H1305

ג/ External Attack Surface Management (EASM) הבנה של נקודות תורפה/תקיפה של נכסים ארגוניים מנקודת מבט *חיצונית* של תוקף (סריקות חיצוניות) – חולשות, מיסקונפיגורציות, סאבדומיינים עזובים, leaked creds ועוד @rapid7 (IntSights), @CyCognito, @IONIX_io, @shockwave_sec, @flaresystems

Apart from #BugBounty, professionally, this year has been a tremendous one as entrepreneur for shockwave.cloud's Bootstrapped Attack Surface Platform. * 0 -> Double Digits Paying Customers * 0 -> 💰💰💰💰💰💰 6 Digits Revenue * Traveled across 17 countries ( 🇺🇸 🇦🇪 🇬🇧 🇰🇷 🇦🇹 🇯🇵 🇬🇷 🇵🇹 🇦🇷 🇧🇸 ) within 5 continents to conduct business globally with partners from wide variety of industries. * AI, Responsible Disclosure, Integrations with the world leading security products (@wiz_io , @AxoniusInc, and more), Industry-leading continuous monitoring capabilities. * 0 Lines of Code -> Over 10,000 Lines of Code. I want to thank shockwave.cloud's clients and partners and all the people I collaborated with in this year's day-to-day Bug Bounty engagements and Live Hacking Events. We have delivered extraordinary findings throughout the year and eager to see what's coming in 2024. Happy New Year!

We want to thank our clients for choosing our platform and being 💯 collaborators on the joint journey in protecting your externally facing assets. 2023 as been full of extraordinary findings and platform enhancements, and eager to see what's coming in 2024. Happy New Year!

Our Attack Surface Management all-in-one solution helps mature Bug Bounty programs and more throughly our clients with continuous monitoring at all times, we only alert for exploitable risks. https://www.shockwave[.]cloud Happy Holidays! 🎄🕎

Our team are at the #LasVegasGP @F1 🇺🇸 to meet with clients and prospects. Interested in the latest from shockwave.cloud, including innovative AI-based features for securing your external assets? Don't hesitate to reach out and connect for a drink!

AI helps greatly translating JavaScript to "Human Readable Language", here's how I found a very straight forward DOM Based XSS in 2 minutes. #BugBounty

🚀 Big News! We've just launched our brand new website at shockwave.cloud/home-seo. New features, Brand Identity, Transparent pricing and exciting updates to follow soon as we are closing on celebrating our 1-year anniversary in a couple of weeks #BugBounty #AttackSurface