Hi there 👋

Inspired by classic hardware hacking talks, this post kicks off a series on building a passive LiDAR detector. We’ll dive into the fundamental principles and component selection for the hardware, from choosing the right photodiode and op-amp to designing the filtering and amplification circuits needed to spot invisible laser pulses from modern sensors.

The gradual, systemic over-reliance on imperfect AI outputs is creating a dangerous ’normalization of deviance,’ mirroring the organizational failures that led to the Challenger space shuttle disaster. By accepting hallucinations, buggy code, and agentic drift as ‘good enough,’ we are eroding safety standards and setting the stage for catastrophic failure.

A detailed exploration of RTCon, a new function-level fuzzing framework for Real-Time Operating Systems (RTOS). Learn how its context-adaptive approach overcomes the unique challenges of securing embedded kernels, as detailed in the upcoming NDSS 2026 paper.

Cisco Talos has discovered multiple critical vulnerabilities affecting Socomec’s DIRIS Digiware M series industrial power monitoring systems and the widely used PDF-XChange Editor software. These flaws could allow for remote code execution, potentially leading to system compromise in both industrial and enterprise environments. This post details our findings, the potential impact, and the importance of timely patching.

A detailed analysis of the November 2025 Yearn Finance exploit, where an attacker turned a 16 wei deposit into $9 million. We dissect the precision loss vulnerability, the step-by-step attack vector, and the critical lessons for DeFi security.

A deep dive into solving the ‘Stranger XSS’ challenge from turb0.one. This write-up explores how a seemingly secure recursive merge function can be exploited via Prototype Pollution to achieve Cross-Site Scripting, turning innocent-looking JavaScript gadgets into execution sinks.

A detailed analysis of TALOS-2025-2280, a critical out-of-bounds read vulnerability in PDF-XChange Editor. This flaw originates from the improper parsing of Enhanced Metafile (EMF) EMR_SMALLTEXTOUT records, potentially leading to sensitive information disclosure and creating a pathway for more complex exploit chains. We explore the technical underpinnings of the bug, its impact, and best practices for mitigation.

We are thrilled to announce InQL v6.1.0, a major update to our open-source Burp Suite extension for GraphQL security testing. This release revolutionizes how testers approach GraphQL endpoints by introducing a powerful schema brute-forcer for when introspection is disabled, a server engine fingerprinter to identify implementation-specific vulnerabilities, and automatic variable generation to streamline dynamic testing. Combined with numerous performance enhancements and a new contributor rewards program, InQL is now more powerful and user-friendly than ever.

A critical command injection vulnerability, CVE-2025-61260, has been discovered in the OpenAI Codex CLI. This flaw allows attackers to execute arbitrary code by tricking a developer into using the tool within a malicious project folder, highlighting the hidden dangers of project-local configuration files and the need for robust input sanitization in developer tooling.

Overview Challenges that push the boundaries of creativity and technical skill are eagerly awaited by the cybersecurity community each year. Announcements from Synacktiv are a highlight, and the 2025 Winter Challenge is no exception, presenting a single, evocative word: Quinindrome. This term, a portmanteau of “Quine” and “Palindrome,” alludes to a programming puzzle of profound elegance and difficulty. It is a challenge that demands not just coding proficiency, but a deep understanding of code as both data and logic. This analysis deconstructs the concept, examining what a quinindrome is, why its creation is difficult, and how this computational thinking masterclass might be approached. ...