Service

Security Research

Targeted vulnerability research on specific hardware, firmware, and protocols. We go beyond scanning and configuration review to analyze how devices actually fail under adversarial pressure -- firmware reverse engineering, exploit development, and attack chain validation on the platforms your organization depends on. Backed by graduate-level training in adversarial techniques and reverse engineering from the Naval Postgraduate School.

Featured Research

OT/SCADA Security for Small Manufacturers: A Pragmatic Assessment Playbook

May 11, 2026

Manufacturing absorbed 61 percent of the 2025 ransomware surge with $1.3M average recovery cost and 24-day average disruption. A five-phase assessment playbook grounded in real CISA ICS advisories (Mitsubishi, Rockwell, Siemens), the NIST SP 800-82 and IEC 62443 SL-2 frameworks, and a worked example for a 120-employee precision-machining shop. Includes five actions the operator can run this month before any external assessment.

Read report →

Auditing an MCP Server Before You Trust It With Production Access

May 8, 2026

A practical audit playbook for Model Context Protocol (MCP) servers. Six attack classes, a five-phase methodology, and a worked example for a typical small-business deployment with Claude desktop plus Slack, Notion, and PostgreSQL MCP servers. The deployment-side companion to our four-layer agent-defense paper.

Read report →

A Four-Layer Defense Stack for LLM Agent Prompt Injection

April 30, 2026

We built a deliberately-vulnerable LLM agent and a 22-attack corpus across 7 OWASP Agentic-Security-Initiative categories, then composed four defense mechanisms into a single architectural stack: prompt-rule + deterministic plan-gate + semantic verifier + cross-provider quorum. Result: 0/198 cumulative attack compromise across 22 attacks × 9 frontier models. The fourth layer is the only architecturally-sound mitigation for verifier-model subversion.

Read report →

Cracking “qshs”: Extracting Vendor-Modified SquashFS from Embedded Firmware

April 17, 2026

A five-phase methodology for extracting vendor-modified SquashFS filesystems from embedded firmware. Demonstrated on a Motorola/ARRIS SB6141 cable modem with non-standard magic bytes and LZMA compression. Full filesystem recovery revealed empty root passwords, hardcoded SSH keys, and default SNMP communities.

Read report →

LLM Model Survey for Offensive Security Research

April 3, 2026

We benchmarked 14 large language models on a standardized embedded systems exploit design task. Research tool access is the #1 quality differentiator. A 40B model outperformed a 671B model by 75%.

Read report →

Research Domains

Deep-dive security research across embedded, wireless, and industrial systems. Each engagement produces actionable findings with reproduction steps, version-specific impact analysis, and remediation guidance.

Embedded & IoT

Embedded Device Security

Firmware extraction, reverse engineering, and vulnerability analysis on embedded systems and IoT devices. Covers network equipment, smart devices, industrial controllers, and custom embedded platforms -- including non-typical processor architectures (ARM, MIPS, AArch64) that standard tools don't handle well.

Firmware extraction and binary analysis
Vulnerability discovery in device-specific protocols
Exploit development and proof-of-concept validation
Cross-version vulnerability impact assessment

OT / SCADA / ICS

Industrial Control Systems

Security assessment of operational technology environments -- programmable logic controllers (PLCs), SCADA systems, HMIs, and industrial network protocols. Graduate-level ICS/SCADA training informs our approach. Research conducted in isolated lab environments to avoid operational disruption.

PLC and RTU firmware analysis
Industrial protocol security (Modbus, DNP3, OPC UA, BACnet)
HMI and SCADA application vulnerability research
Network segmentation and air-gap bypass assessment

EMS Operations

Electromagnetic Spectrum

Security research across wireless and RF technologies, grounded in graduate thesis work on covert communications using software-defined radios. Assessing the attack surface of electromagnetic spectrum-dependent systems -- from enterprise wireless networks to short-range protocols and custom RF targets.

Wi-Fi security assessment (WPA2/WPA3, 802.1X, rogue AP)
Bluetooth and BLE protocol analysis
Zigbee, Z-Wave, and smart home protocol security
SDR-based signal analysis and replay assessment

Network Equipment

Network Infrastructure Research

Deep analysis of routers, switches, firewalls, and network appliances beyond standard vulnerability scanning. Firmware-level research on the devices that form the backbone of your network infrastructure.

Router and switch firmware reverse engineering
Management protocol security (SNMP, SSH, web admin)
Attack chain development across device versions
Version-indexed vulnerability databases

Engagement Models

Security research engagements are scoped to the depth and duration your organization needs -- from a focused assessment of a single device to an ongoing research retainer across your deployed platforms.

Focused

Device Security Assessment

Targeted analysis of a specific device, firmware version, or protocol. Produces a technical briefing with exploitability rating, attack chain documentation, and prioritized remediation guidance. Typical duration: 2-4 weeks depending on target complexity.

Offensive

Custom Exploit Development

Authorized proof-of-concept exploit development for penetration testing engagements. When off-the-shelf tools don't cover your target, custom exploit code validates real-world exploitability and demonstrates impact to decision-makers.

Ongoing

Vulnerability Research Retainer

Continuous security research on platforms critical to your operations. Ongoing firmware monitoring, new CVE impact analysis, and proactive vulnerability discovery across your deployed device fleet. Monthly or quarterly reporting cadence.

Advisory

Technical Briefing

One-time deep-dive analysis on a specific CVE, vulnerability class, or threat relevant to your environment. Produces an executive summary for leadership and a technical appendix with reproduction steps, affected versions, and mitigation options.

Research Methodology

Every research engagement follows a structured pipeline from target acquisition through validated findings and actionable reporting.

01

Target Acquisition

Obtain target hardware or firmware images. Extract filesystem, identify binaries, map attack surface. Build isolated lab environment for safe analysis.

02

Analysis & Discovery

Reverse engineering, binary analysis, protocol fuzzing, and manual vulnerability discovery. Identify exploitable conditions with cross-version impact assessment.

03

Validation & Reporting

Develop proof-of-concept exploits. Validate findings against target versions. Produce technical briefing with CVSS scoring, reproduction steps, and remediation guidance.

Authorization & Ethics

All security research is conducted under explicit written authorization (Rules of Engagement) against lab-owned hardware or client-authorized targets. We require proof of legal authority to authorize testing before any engagement begins.

Vulnerability discoveries on commercial products follow responsible disclosure practices. Research findings are shared with affected vendors before public disclosure, with coordinated timelines agreed upon by all parties.

Have a Target in Mind?

Whether it's a specific device, a protocol, or a vulnerability class -- let's discuss what you need to understand about your attack surface.

Request a Consultation