Nic Fillingham 🇦🇺🇺🇸

There is a lot of momentum around AI in cybersecurity and its ability to improve security outcomes at scale. At Microsoft, we are applying these capabilities to our long-standing work with the community to find and mitigate vulnerabilities more quickly and augmenting our security and development toolsets so we can better protect customers and Microsoft. Read more: msft.it/6011QNHuf

We’re excited to welcome some of the world’s top security researchers to Zero Day Quest 2026 🎉 We kicked off the onsite hacking event with bowling, followed by dinner and drinks with incredible views. It’s the start of a full week of security research, collaboration with Microsoft teams, and social events including a Kraken hockey game, a brunch cruise, and more. We’re grateful to every researcher who qualified and joined us in person, as well as those participating remotely. Their work and partnership with Microsoft help protect customers and communities around the world. #ZeroDayQuest

Ping me if you have questions about the CFP process or want to brainstorm a paper/talk you're considering submitting. (TL;DR - you should submit!)

BlueHat Asia Call for Papers deadline extended! You now have until September 14 to submit your talk for BlueHat Asia in Bengaluru, India on November 5–6! Share your insights on security research, emerging threats, and more. Don’t miss your chance to be part of the community. Submit now: aka.ms/bhasia25cfp #BlueHatAsia #SecurityResearch #CFP

Don’t miss your chance to be part of the BlueHat Asia community in Bengaluru this November! Submit your talk by September 5 to share your insights on emerging security threats, novel research findings, and more. ⬇️Submit your paper by September 5 ⬇️ aka.ms/bhasia25cfp #BlueHatAsia

One week ago, we came together at the MSRC Researcher Celebration during Black Hat to honor the incredible community that helps keep Microsoft secure. From meaningful conversations to Clippy through the decades on display, it was a night to connect and celebrate your contributions. Thank you to everyone who joined us. You’re the reason we do what we do. #BHUS

Had an amazing time at Skyfall in Las Vegas — got so many cool shirts, pins, and stickers that mean a lot to me. Truly grateful to celebrate with so many talented researchers from MSRC! #MSRC

We’re proud to partner with Microsoft Most Valuable Researchers (MVRs) like Azure Yang (@4zure9) from Cyber Kunlun, whose collaboration has driven meaningful changes in Windows Secure boot. At Black Hat, Azure shared research exploring remote attack surfaces in the Windows boot process, helping Microsoft identify and address complex technical challenges in Secure Boot, including areas like network protocols, registry handling, and filesystem logic. This work highlights the critical role the security research community plays in protecting customers. #BHUSA

The Call for Papers is now open for BlueHat Asia in Bengaluru, India, taking place on November 5 - 6, 2025! This is your chance to showcase your thought leadership in vulnerability and mitigation, emerging security threats and techniques, novel research findings, calls-to-action for the security community, and more. ⬇️Submit your paper by September 5 ⬇️ aka.ms/bhasia25cfp Here are some suggested topics to inspire your submission (but don’t feel limited by them—we’re excited to see what you bring to the community!): ▸AI, Machine Learning, & Data Science ▸Applied Cryptography ▸Cybersecurity Careers ▸Cybersecurity Policy ▸Data Forensics & Incident Response ▸Detection Techniques at Scale ▸Exploit Development ▸Human Factors ▸IoT/OT & Critical Infrastructure Security ▸Physical Security ▸Quantum Security ▸Red Team/Blue Team Lessons Learned ▸Reverse Engineering ▸Virtualization and Container Security Don’t miss this opportunity to be part of BlueHat Asia. #BlueHatAsia

Save the Date: BlueHat Asia We’re bringing BlueHat back to India, this time in Bengaluru on November 5 - 6, 2025. Stay tuned for more details. We hope to see you there! #BlueHatAsia

Microsoft has released security updates for all supported on-premises SharePoint Server versions. Cloud-hosted SharePoint is not affected. We strongly urge customers to apply these updates immediately to protect against active exploitation. Our latest blog also shares insights into the threat actors we’ve observed targeting these vulnerabilities, along with guidance on detection, protection, and hunting:

Missed BlueHat India 2025? Catch up now! Talks from Microsoft & global security experts are live on the @msftsecresponse YouTube channel: @msftsecresponse" target="_blank" rel="nofollow noopener">youtube.com/@msftsecrespon… From AI threats to ransomware ops, mobile red teaming and more, don’t miss these deep-dive sessions. #BlueHatIndia

Thank you to everyone who joined us this week. BlueHat is more than just a conference, it’s a community. One where the security community from inside and outside Microsoft come together as peers to share, challenge, and learn from one another. From deep technical talks to hallway debates, this year’s BlueHat India showed how collaboration fuels progress in cybersecurity. Together, we're helping build a safer, more secure world for everyone. Special shoutout to the BlueHat organizers and volunteers. This event would not be possible without your energy, dedication, and behind-the-scenes magic. Until next year. 💙 #BlueHatIndia

We kicked off Day 2 of BlueHat India with opening remarks from Charu Srinivasan, CVP of Engineering at Microsoft, who explored the rise of Agentic AI: autonomous agents that will soon play a role in nearly every system we build. Her message was clear: defenders must secure these agents and use them to strengthen security itself. Ram Shankar Siva Kumar (@ram_ssk), Data Cowboy & Head of Microsoft’s AI Red Team, delivered a powerful keynote unpacking lessons from red teaming over 100 generative AI systems. From model manipulation to psycho-social harms, Ram showed how attackers are evolving and why security must evolve with them. The rest of the day featured powerful sessions from across the community: • Shriya Maniktala introduced Agentic AI red teaming, where LLM-powered adversaries adapt in real-time using live feedback and tools like AETHR • Manish Gupta & Yash Bharadwaj showed how adversaries are using serverless platforms to build stealthy phishing kits that slip past traditional defenses • Omkar Joshi & Pallavi Deshmukh revealed just how easily LLM safety guardrails can be bypassed, calling for adversarial testing and layered defenses • Rituraj Jodha discussed how graph-based detection and Graph Neural Networks can surface malicious OAuth apps that hide in plain sight • Sagar Bhure showed how deepfake detection systems can be defeated with subtle tweaks and adversarial image prompts • Ashish Dhone (@ashketchum_16) shared lessons from earning over $50K in blind XSS bounties, highlighting overlooked surfaces like feedback forms and custom dashboards To every attendee, speaker, and partner: thank you. Your dedication to learning together, sharing openly, and supporting one another is what makes BlueHat special. #BlueHatIndia

Tom Gallagher (@secbughunter), VP of Engineering at MSRC, opened BlueHat India with a question: “Anyone here a threat actor?” 👀 He went on to highlight the recent Microsoft Zero Day Quest, which saw over 100 researchers qualify. Today, we're proud to welcome three standout researchers from India—Niraj, Ashish, and Anto. And we’re just getting started. Submit your vulnerabilities to MSRC and join us in protecting customers, Microsoft, and the global community. #BlueHatIndia

Loved being on the #BlueHat podcast with @ZenOneSec and @nicfill! Grateful for the chance to share my bug bounty journey and experiences with @msftsecresponse. Hope it inspires some future hackers out there!

Two weeks ago, some of the world's top security researchers gathered on the Microsoft campus for the first-ever Zero Day Quest Onsite Hacking Event, focused on finding and reporting vulnerabilities across Cloud and AI. From nonstop bug hunting and deep dives with Microsoft engineers to exclusive events like dinner at the Space Needle and a Seattle Mariners game, Zero Day Quest was equal parts security research and community building. Here’s a look at some of the highlights: #ZeroDayQuest

At the Zero Day Quest Onsite Hacking Event closing ceremony, held at the iconic Space Needle, we celebrated the outstanding achievements of the security research community. 𝗧𝗼𝗽 𝗿𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗹𝗲𝗮𝗱𝗲𝗿𝘀 𝗯𝘆 𝗯𝗼𝘂𝗻𝘁𝘆 𝗰𝗮𝘁𝗲𝗴𝗼𝗿𝘆 𝗔𝘇𝘂𝗿𝗲+: Anonymous 𝗠𝟯𝟲𝟱+: Dylan Ryan-Zilavy & Railgun (Kunlun Lab) 𝗖𝗼𝗽𝗶𝗹𝗼𝘁: Jun Kokatsu 𝗠𝗼𝘀𝘁 𝘂𝗻𝗶𝗾𝘂𝗲 𝗰𝗮𝘀𝗲 Awarded to the participant who submitted the most creative and original case: Railgun (Kunlun Lab) – SharePoint Online SQL Injection 𝗦𝗵𝗮𝗿𝗲𝗣𝗼𝗶𝗻𝘁 𝗢𝗻𝗹𝗶𝗻𝗲 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 𝘄𝗶𝗻𝗻𝗲𝗿𝘀 Dylan Ryan-Zilavy & Railgun (Kunlun Lab) 𝗧𝗼𝗽 𝘁𝗵𝗿𝗲𝗲 𝗭𝗲𝗿𝗼 𝗗𝗮𝘆 𝗤𝘂𝗲𝘀𝘁 𝘄𝗶𝗻𝗻𝗲𝗿𝘀: 𝟭𝘀𝘁 𝗣𝗹𝗮𝗰𝗲: Anonymous 𝟮𝗻𝗱 𝗣𝗹𝗮𝗰𝗲: Yanir Tsarimi 𝟯𝗿𝗱 𝗣𝗹𝗮𝗰𝗲: Dylan Ryan-Zilavy Huge congratulations to all our winners and participants! Your efforts are shaping the future of Cloud and AI, and we cannot wait to see what you accomplish next. #ZeroDayQuest

That’s a wrap on the final day of the inaugural Zero Day Quest. Researchers hacked until the very last minute, 11:59 AM PT, bringing three days of collaboration, creativity, and bug hunting to an exciting close. Afterward, we explored the best of Seattle on a city tour, then capped it all off with an unforgettable evening reception and awards ceremony at the iconic Space Needle. Huge thanks to the Zero Day Quest security researchers and Microsoft employees who brought their skills, passion, and energy to this inaugural event. Winners were announced last night during our celebration at the Space Needle. Stay tuned, we’ll be sharing the overall and category award winners publicly soon! #ZeroDayQuest

Day 2 of #ZeroDayQuest brought together brilliant minds from around the world for more hands-on hacking and meaningful community connections. Catch the energy in our recap video! @secbughunter @tinderj_ @ZenOneSec @0xdea