A retrospective on the $100M Balancer hack that occurred in November 2025, including long-term, strategic guidance on how to avoid similar bugs.

AI is transforming software development and turbocharging many aspects of a developer's daily work. But it’s also bringing new challenges to your teams: how do you maintain code quality and security standards as the volume of AI-generated code doubles, triples…

AI is transforming software development and turbocharging many aspects of a developer's daily work. But it’s also bringing new challenges to your teams: how do you maintain code quality and security standards as the volume of AI-generated code doubles, triples…

Introduction Earlier this year, I earned a $10,000 bounty from Microsoft after discovering a critical HTTP request smuggling vulnerability in ASP.NET Core’s Kestrel server (CVE-2025-55315). The vulnerability garnered significant media attention after Microsoft…

Hello! I’m Matias Forti, technical lead here at Kulkan Security. As the AI landscape continues to evolve I’ve been really interested in…

Traditional cross-site scripting (XSS) vulnerabilities were prevalent when server-side rendering (with languages like PHP, JSP, and ASP) was the norm. However, as applications become more complex and...

We are excited to share that Sonar has been named a Leader and Fast-Mover in the latest GigaOm Radar for Application Security Testing (AST). Following an in-depth evaluation of 27 vendors, GigaOm positioned Sonar in the top-tier ‘Maturity/Platform Play’ quadrant…

There’s an elegance to vulnerability research that feels almost poetic - the quiet dance between chaos and control. It’s the art of peeling back the layers of complexity, not to destroy but to understand; to trace the fragile threads that hold systems together…

A critical RCE vulnerability has been patched in Imunify360 AV. Hosting companies should patch the issue immediately & check servers for signs of compromise.

Checksec Anywhere consolidates fragmented binary security analysis tools into a browser-based platform that analyzes ELF, PE, and Mach-O formats locally without compromising privacy or performance.

Posted by Jeff Vander Stoep, Android Last year, we wrote about why a memory safety strategy that focuses on vulnerability prevention in ...

We are excited to share that Sonar has been named a Leader and Fast-Mover in the latest GigaOm Radar for Application Security Testing (AST). Following an in-depth evaluation of 27 vendors, GigaOm positioned Sonar in the top-tier ‘Maturity/Platform Play’ quadrant…

After yet another workout where my sports watch completely lost GPS, I’d had enough. I decided to dig into its firmware and pinpoint the problem. I couldn’t find it published anywhere. No download section, no public archive, nothing. So, I changed tactics…

We’ve released open-source Go implementations of ML-DSA and SLH-DSA.

What's Changed
🎉 New Features

Adding json + xpath headless extractors by @Mzack9999 in #6559
Adding VNC auth by @Mzack9999 in #6413
Feat(templating): add vars templating into yaml inputs (ytt)...

The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!

The first warning of such behaviour came from the great team at Defused:

As many are now aware, an unnamed (and potentially…

We’re releasing Slither-MCP, a new tool that augments LLMs with Slither’s unmatched static analysis engine.

In this article, I’ll walk you through my journey in intercepting HTTPS traffic from a APK based on Flutter during a pentesting engagement…

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.