stuxf

We spun out of the #1 hacking team in the US and built AI that finds what even the best hackers miss. During one engagement, it found 6 different ways to take over any user's account on a popular webapp. Completely autonomously. Then suggested fixes for every single one. Today we're announcing @verialabs' $3.2M seed, backed by @ycombinator, @gokulr, @paulg, and @woloski (co-founder of Auth0), and many other great investors. DM me if you want to know what we'd find in your app.

@hahnbeelee good memo

nick is pushing me to share more of my writing publicly. dipping my toes into it by leaking my own internal memo

We just qualified 2 teams for DiceCTF Finals, with one of our teams getting 2nd place overall! Congrats @BunkyoWesterns on winning and we'll see everyone in NYC! insert line about llms ruining ctfs here

Went to @ycombinator startup school last year, ended up having dinner w/ visiting partner @aroraharshita33 decided to apply for the fall batch and got in after :) if you're at all interested in startups, highly recommend applying, free sf trip and a life changing two days

@theo You can find these pretty easily by looking at unsolved problems from recent CTFs, they typically match your criteria of being programmatically verifiable and not being able to be solved by an LLM

Almost every verifiable problem I've been sent so far has been solved by 5.3 Codex. Please make sure 5.3 Codex can't solve your problem before you submit it to me. I'm a youtuber not a prompt box.

@sreevanth @gakonst @tempo 👀

@gakonst @tempo @stuxfdev

looking to work with more LLM auditors for @tempo - pls DM me with your tool & proof of it working in real projects!

youtube.com/watch?v=kKt46L… cool youtube channel also cute channel name, i reccomend

@ycombinator @SeaplaneVC @amino_capital @lombardstreetVC @Liquid2V @aarthir @woloski @gokulr @paulg @AntigravitySF Read more here: verialabs.com/blog/announcin… And additional thanks to great investors not mentioned above: @SeaplaneVC, @lombardstreetVC, @aminocapital, @Liquid2V, @SchemaVentures, @yenkel and more.

We spun out of the #1 hacking team in the US and built AI that finds what even the best hackers miss. During one engagement, it found 6 different ways to take over any user's account on a popular webapp. Completely autonomously. Then suggested fixes for every single one. Today we're announcing @verialabs' $3.2M seed, backed by @ycombinator, @gokulr, @paulg, and @woloski (co-founder of Auth0), and many other great investors. DM me if you want to know what we'd find in your app.

@wen_rahme @MetorialAi 👀

@MetorialAi takes security seriously.

@TheGregYang you should make a list of your favorite movies and/or books! especially as you watch more of these

watched "In the Mood for Love" today during my HBOT it's a good movie, but it's just that...I wasn't in the mood for love

We hacked a Times Square billboard! jk! @brexHQ put us up there for YC F25. Back to actually finding security vulnerabilities.

@peer_rich @vrexec great points, most vibe coded internal apps end up being horribly insecure because it’s just not as much of a priority

@vrexec i wrote about this cal.com/blog/why-you-s…

So I made my own private meeting scheduling / call booking website using Claude (hosted/rendered inside Lovable). It took probably about 6 hours of total dedicated time and about $100 in compute credits. I will never use any other call scheduling service again... ever in my entire life. Why is everyone not doing this? Help me understand. "Mid" SaaS is dead forever. Short it all.

@thdxr agents are what convinced me to stay with nix instead of moving off

wait maybe this means i can finally use nix without forgetting everything i setup in a month

@boredGenius @claudeai this is such a fun idea, nicely done!

Introducing CallMe, a minimal plugin that lets Claude Code call you on the phone. Start a task, walk away. Your phone/watch rings when Claude is done, stuck, or needs a decision. Free & open source (MIT). Underlying API costs are cents per minute of call.

🧵 Broke Eigen Network's zkVM Found a missing check in its FRI implementation that lets attackers forge arbitrary proofs.

@fl0ct0 floc tuah

great year :) probably the most i’ve traveled in a year my whole life, at least 10 trips i can remember

We're officially top 3 in the world on CTFtime for 2025, up from 13th last year! yay This year, we also: - hosted the first ever smileyCTF, with 1,000+ teams playing - went to in-person CTFs in Switzerland, Las Vegas, NYC * 2 - qualified for SECCON and LakeCTF 2026 finals

@handotdev 45 mins is an incredibly fast time to go from notification to fix. great work handling this, most companies take weeks for vulns far worse than this

Over the past few days, I asked our team to intentionally stay away from social media to focus on our customers. We put out an initial statement from our blog, but did not draw enough attention to it. Now that the dust has started to settle, I want to share our perspective on what happened. What happened? We messed up. We overlooked a foundational design flaw that put many of our customers at risk. This was a serious mistake, and we take full responsibility. It is our duty to holdup high security standards, and we failed to meet those standards. We should have known better and done better. The timeline of events On November 12, 2025, we were notified that security researchers discovered a cross-site scripting vulnerability. This meant that a static asset (images, pdfs, svgs, etc...) that gets uploaded to one customer's project could be accessed from another customer’s domain. All alarm bells went off. Within 45 minutes of being notified, we deployed a fix to production and immediately began auditing all assets across our entire platform. While we did not uncover any exploitation through this vulnerability, we contacted every possible at risk customer by 10:25 PM that day. Over the following weeks, we’ve worked with the researches, to not only address the initial vulnerability, but to identify and fix several others. The people who helped us I want to thank @xyz3va, @MDLcsgo, and @hackermondev, who brought this issue to our attention and worked alongside us over the past few weeks to not only to fix the issue, but make our vulnerability known to strengthen better security practices everywhere. I am genuinely grateful for their work in helping us secure our systems. What we're doing now We're expanding our bug bounty program (linked below) significantly, and continuing to put resources in our security infrastructure and practices. This incident made clear that we need to do more, and we will. To our customers: thank you for your patience and your trust. We know trust is earned, and we're committed to earning it back. - Han

@CristiVlad25 @Xbow if you’re doing it right you can burn upwards of $2000 in tokens per hour

straight to the jugular, lol. seriously, $4k-$8k per AI pentest is insane. they probably run their model for a few hours and that's it. the token + infrastructure costs is likely a few hundred bucks at max. @Xbow call me out if I'm wrong.

@mehulmpt Very clear overview!

this is basic overview, next video will be much deeper youtube.com/watch?v=y0C-xH…

I have spent the last 4 hours understanding React2Shell deeply (video soon). The exploit itself is relatively complex to piece together, but the code that enables that exploit is a hot mess. This RCE issue was there for multiple months. Crazy to think about it.