Bishop Fox

“If I found an iOS exploit… I might just sell it and retire.” That’s the level we’re talking about. Why iOS exploits are so rare (and expensive) + the debate on locking platforms down

Enterprise app portfolios have exploded and traditional testing models weren’t built for this. Join our session with Practice Director Zach Moreno on how AI-assisted testing is helping teams scale AppSec without sacrificing depth. Mar 24 | 2PM ET bfx.social/4uzZVFO

If phishing kits can steal session tokens, are we still having the wrong conversation about MFA bypass? Leron Gray on why security is (and always will be) a cat-and-mouse game. Full episode: bfx.social/40zFkDL

Some puzzles take time. Happy Pi Day from Bishop Fox 🥧

The Bishop Fox Mexico team continues to push offensive security forward. They took first place at HackMex Finals and the EkoParty Red Team Space CTF, marking a third consecutive EkoParty win. Luis de la Rosa breaks down the competitions and what they reveal about modern offsec. See the team at HackGDL presenting sessions and workshops. bishopfox.com/blog/winning-c…

Enterprise app portfolios have exploded and traditional testing models weren’t built for this. Join our session with Practice Director Zach Moreno on how AI-assisted testing is helping teams scale AppSec without sacrificing depth. Mar 24 | 2PM ET bfx.social/471fE6J

Moving from Electron to frameworks like Tauri doesn’t necessarily eliminate risk, but it does change the mechanics of exploitation. New Bishop Fox research shows how XSS & permissive configuration can still lead to RCE in desktop apps. Full scoop: bfx.social/4cHVl1R

#IoT devices are most vulnerable on day one. In this op-ed, @bishopfox's Ben Lincoln shares 6 tips to reduce risk: update firmware, change defaults, segment networks, and choose vendors with transparent security practices. #cybersecurity #infosec #CISO bit.ly/47n84TY

@HackGDL Saturday Presentations:

@HackGDL Friday Presentations:

Bishop Fox will be well represented at @HackGDL this week. Our team is presenting research and workshops on cloud security, hardware hacking, application security, reverse engineering, and career growth in cybersecurity. bfx.social/46VvboF

AI agents in developer environments raise a simple question: How much autonomy should they actually have? Shad Malloy explains why the answer may be least autonomy, the same philosophy as least privilege.

Introducing CloudFox GCP A new extension of CloudFox designed to help practitioners assess Google Cloud environments from an attacker’s perspective. Now on GitHub: bfx.social/4rzRbNn

Enterprise app portfolios have exploded and traditional testing models weren’t built for this. Join our session with Practice Director Zach Moreno on how AI-assisted testing is helping teams scale AppSec without sacrificing depth. Mar 24 | 2PM ET bfx.social/46LNCMq

Thanks for the share. Big shoutout to Nick Cerne who performed this research!

Most underrated engineering principle? YAGNI. If you’re building for a future that doesn’t exist yet, you’re adding complexity. From our recent workshop on building tools with @TomNomNom

@SEKTOR7net Thanks for the shoutout! Rust certainly changes how tooling is built. Great writeup by Nick.

Rust for Malware Development Using anti-analysis features and binary complexity of Rust for malware development. A post by Nick Cerne from @bishopfox Source: bishopfox.com/blog/rust-for-… #redteam #blueteam #maldev #malwaredevelopment

AI agents don’t behave deterministically. They optimize for outcomes instead of following rules. @JustinGreis from @acceligence on why if you don’t want an agent to delete something… you can't give it access to delete it!

AI can scan everything. It can't verify like a human.   Cosmos AI combines large-scale surface coverage with manual threat reviews built on 20+ years of Bishop Fox offensive research. Signal. Not Noise. bfx.social/4r3HJRQ

Full advisory + technical details: bfx.social/4aEmotv

Smart TVs are part of your attack surface. We identified an arbitrary command injection vulnerability in Samsung Tizen OS (through 9.0) that allows OS-level command execution under developer mode conditions. Not high severity, but a security boundary bypass worth understanding