Young hacker smiling

Zero false positives

Expert intelligence + effective automation

Baseball hit. Photo by Chris Chow on Unsplash: https://unsplash.com/photos/BhwRQr08PcM

Hit or miss

Estimating attack probability

One of the main obstacles against adopting a quantitative approach to risk management is that since major security breaches are relatively rare and hence, there cannot be enough data for proper statistical analysis. While this might be true in the classical sense, it is not if we adopt a Bayesian …



New information. Photo by M. Parzuchowski on Unsplash: https://unsplash.com/photos/GikVY_KS9vQ

Updating your beliefs

How Bayes Rule affects risk

Usually, changing our beliefs is seen as a negative thing. But when those beliefs represent our state of uncertainty regarding a particular cybersecurity risk, you’d better use all the tools at hand to reduce that uncertainty, i.e., measuring. Why do we speak of "belief" and not "probability" here …



Git On Steroids

Git on steroids

From messy logs to Data Analytics

There is a universal law that anyone in the tech world should know: If you ask a programmer to do something, he/she will do it their way. Even though creativity, abstract thinking, and putting your signature in your source code is a fundamental part of programming, sometimes it also …



Monetizing risk. Photo by rawpixel on Unsplash: https://unsplash.com/photos/5IiH_UVYdp0

Monetizing vulnerabilities

From probabilites to dollars and cents

In our previous article, we merely scratched the surface of the problem that quantifying risks poses, barely touching on concepts such as calibrated estimation, confidence intervals and specifying the measuring object. Now that (if?) we are convinced that: Cybersecurity risk can and should be measured in...



Risky poker move. Credits: https://unsplash.com/photos/5jkCyS8HOCY

Quantifying risk

From color scales to probabilities and ranges

One of the least understood parts of a vulnerability is the risk it poses to the target. On the tester side, we tend to confuse them with the threat, the attack vector and the actor. On the client side, it tends to get confused with impact and occurrence likelihood, due …



Binary machine learning. Credits: https://unsplash.com/photos/h3sAF1cVURw

Binary learning

Learning to exploit binaries

While our main focus, as stated previously, is to apply machine learning (ML) techniques to the discovery of vulnerabilities in source code, that is, a white-box approach to ML-guided hacking, we’ve come across an interesting approach called VDiscover, which is radically different in the following sense: Works on …



Depiction of a deep neural network. Credits: https://unsplash.com/photos/R84Oy89aNKs

Deep Hacking

Deep learning for vulnerability discovery

If we have learned anything so far in our quest to understand how machine learning (ML) can be used to detect vulnerabilities in source code, it’s that what matters the most in this process are the different representations of source code which are later fed to the actual ML …



Executive leaking business information

Attacking Without Announce

Nobody knows, but everything is allowed

We talk a lot about the advantages of extreme connectivity and availability of information, but so little about how our company’s, client’s, or even our own personal data is secure. Here we want to guide you about some management policies we suggest that you could take in advance …



Cats in a forest

Don’t let the cat out!

Trapdoor functions and their importance in security

Functions! I’m sure you have heard this concept in many ways: math, programming, economics, etc. And they all can be reduced to the same basic thing: something that takes some inputs and produces some outputs. Math is the case here, however, there is a lot to add to that …



Fluid Attacks, Among the Top Global Leaders 2018

Among the Top Global Leaders 2018

Fluid Attacks, a top cybersecurity company

In an era where IT companies and business services are diverse, realizing which companies have the best performance on service delivery is crucial when buying services from companies that guarantee their expertise. Having this in mind, Clutch (a renowned platform that connects buyers with IT companies) has...



Chucky the actual serial killer doll

The anomaly serial killer doll

Hunting missing checks with anomaly detection

In our previous article we focused on taint-style vulnerabilites, i.e., those that are essentially due to the lack of input sanitization which allows tainted, user-controlled data to reach sensitive functions. Some of these arise due to missing checks in code, such as: failure to check authentication, authorization...



Screen showing source code

Exploiting code graphs

Mining graph representations for vulnerabilities

As we have seen in our previous revision article, probably the most interesting and successful approach to automated vulnerability detection is the pattern-based approach. Since we expect to extract meaningful patterns from the code, we also need a "comprehensive and feature-rich representation"[1] of it. Other...




Service status - Terms of Use