CELVEX GroupCELVEX Group Free Scan
Attack Research

How real attackers operate, and what to do about it.

Built from data we observe across our customers and the public threat landscape. Each piece walks the attacker's decision tree end-to-end — what they're doing right now, why it works, and the concrete steps a defender takes this week to break it. Verifiable security.

Find. Prove. Fix. Verify.

Attackers Turned Defender Tool
Detection 2026-05-13 13 min read

How attackers turned a defender tool into the killchain — and the three CVE chain every Velociraptor operator should re-audit

Storm-2603 — the Warlock ransomware operators — turned the customer's own Velociraptor DFIR fleet into the dropper, the C2, and the persistence mechanism. CVE-2025-6264 (fleet RCE via VQL artifact submission), CVE-2026-5329 (rogue-client master RCE), and CVE-2026-6290 (cross-tenant query() ACL bypass) chain into total IR-plane compromise. We walk the audit-log shape that fired 24-72 hours before every documented ransomware deployment, plus the dangerous-artifact SIEM rule the victims wished they had run.

SOC · Detection eng Read →
Not Internet-facing Triage Call
Supply Chain 2026-05-12 10 min read

How a "not Internet-facing" triage call shipped unauthenticated RCE inside SEC filing pipelines — and the asset-inventory finding that is load-bearing

CVE-2026-42796 is the unauthenticated RCE in Arelle, the open-source XBRL processor that sits inside SEC filing pipelines, ESG reporting toolchains, and a long tail of regulated-data infrastructure most security teams do not know they own. CVSS 9.8. The FP-rejection pattern that ships every time: "internal tool, not Internet-facing." That triage call is the load-bearing failure — Arelle is reachable from finance VPN segments, S3 ingestion lambdas, and vendor tunnels nobody mapped. We walk the plugin-loading primitive, the proof capsule, and the asset-inventory query that closes the gap.

AppSec · Engineering lead Read →
1 142 P1-flagged Bug
Validation 2026-05-10 7 min read

What 1,142 P1-flagged bug bounty submissions reveal about triage failure — and the rubric that catches the real ones

Across HackerOne, Bugcrowd, Intigriti, YesWeHack, Synack, and Immunefi we tracked 1,142 P1-flagged submissions in 2025. Only 99 survived triage as confirmed P1 — 8.7%. The other 1,043 collapsed on five recurring shortcuts: self-XSS, 'potential' without exploitation, info-disclosure mis-labelled as RCE, sunset-asset claims, and chain prerequisites the writeup glosses over. The class persists because severity is contextual and the context check is the easy one to skip. The rubric is a pre-submission validator that filters before a platform sees it.

CISO · Strategic read Read →
AI-Speed Lateral Movement
Detection 2026-05-09 14 min read

Lateral movement at AI speed: what your perimeter monitoring missed last quarter

Mandiant's M-Trends 2026 reports the median initial-access-to-handoff time has collapsed from eight hours to twenty-two seconds. The fastest observed lateral move took four minutes. If your detection pipeline runs on hourly batches, you are watching a movie of an attacker who already left.

SOC · Detection eng Read →
9-year-old Kernel Optimisation
Memory Safety 2026-05-03 10 min read

How a 9-year-old kernel optimisation turns any local code execution into root in 732 bytes — and the proof-capsule that ends the "P3 informational" misclassification

Copy Fail (CVE-2026-31431) is the nine-year-old Linux kernel optimisation in the AF_ALG AEAD path that turns any local code execution — a webshell, a compromised CI runner, a container with a foothold — into uid 0 root in 732 bytes of Python. The bug-rejection pattern is the same one CISA KEV keeps catching: "requires local access, P3 informational." That triage call is wrong every time the attacker already has a foothold. We walk the algif AEAD primitive, the fresh-VM reproducer, and the proof capsule that ends the misclassification.

AppSec · Engineering lead Read →
Memory-safety Bug Routinely
Memory Safety 2026-05-03 9 min read

How a memory-safety bug routinely triages as DoS — and the proof-capsule contract that proves RCE before patch-management closes the ticket

CVE-2026-23918 is the Apache HTTP/2 double-free that gets misclassified as denial-of-service two times out of three and stays open in change-management for weeks while the CVSS 8.8 RCE rating sits unproven. The pattern is universal in memory-safety bugs: triage stops at the crash, the exploit primitive never gets demonstrated, and the patch slips. We walk the freed-allocation control chain, the proof-capsule contract that produces a deterministic RCE artifact before the change ticket closes, and why the demonstration — not the CVSS — is what unblocks the fix.

AppSec · Engineering lead Read →
Low-impact Server Hardening
Supply Chain 2026-05-02 8 min read

How a "low-impact server hardening" triage call shipped a one-push RCE on every GitHub Enterprise Server — and the FP-rejection pattern that costs months

CVE-2026-3854 turned one git push -o key=value;extra into RCE on every GitHub Enterprise Server in the field — babeld didn't sanitize semicolons in push-option values, and the next-hop service trusted its own internal header. The bug sat dormant for months because every triage path correctly classified push-option mishandling as low-impact server hardening, P3 informational. What flipped it: Wiz Research filed a working reverse shell, not a hypothesis. The FP-rejection pattern is the cost — and the Proof Capsule is the fix.

AppSec · Engineering lead Read →
Stop Trusting Vendor MITRE
Detection 2026-05-01 12 min read

Stop Trusting Vendor MITRE Coverage Claims — Measure It Yourself

Every endpoint vendor advertises 90-percent-plus MITRE ATT&CK coverage. The number is almost never measured against the customer's installed rule pack. We built a Stack Coverage Auditor that does — and the gap between claimed and measured coverage is usually 2x to 5x.

SOC · Detection eng Read →
Log4Shell
Supply Chain 2026-05-01 7 min read

Log4Shell, Four Years Later: We Still Find It Twice a Month

CVE-2021-44228 was disclosed in December 2021. Every CISO ran an emergency patch sprint. We still find it on customer systems twice a month — average. Here's where it hides, why scans miss it, and the regression path that keeps reintroducing it.

AppSec · Engineering lead Read →
Compound Blackouts
Detection 2026-04-30 13 min read

Compound Blackouts: When Three Defenders Are Simultaneously Blind for 72 Hours

Defense-in-depth assumes the union of your defenders covers your risk. We measured it. The union has holes. The biggest one we found this quarter was 4,320 minutes wide -- a Velociraptor memory-hunt cadence gap during which three classes of detection were simultaneously asleep. Plus eleven other cross-defender bypass primitives our ENDPOINT-STACK-CHAIN family probes for, and the sweep-line algorithm we use to find compound blackouts on any stack.

SOC · Detection eng Read →
Unauthenticated Bulk-data API
AppSec 2026-04-30 8 min read

How unauthenticated bulk-data API endpoints keep leaking 100M-record corpora — and the four authz tests every API owner should run

T-Mobile lost 37 million records. AT&T lost 73 million. Snowflake bled 165 tenants. The same architectural property links them: a single authenticated request returned more data than any legitimate human workflow ever needed, and the auth model treated one record and one million records as identical events. The class-killer is auth proportional to volume — four tests on every API surface that re-express rate limits in records-per-minute, cap result-set size at the data plane, and page on result-size anomalies. One pattern, every carrier, finishable in an afternoon.

AppSec · AppSec lead Read →
Thirteen Evasion Patterns Walk
Detection 2026-04-29 14 min read

The thirteen evasion patterns that walk past per-source thresholds — and what replaces them in 2026

Per-source rate limiting was the right design in 2014 and the wrong design in 2026. A residential-proxy network across 1,200 ASNs at one request per IP per minute sustains 10,000 logins per minute against /login while every CrowdSec, Fail2Ban, and OWASP CRS rule sits idle. The thirteen ENDPOINT-L7-EVASION probes — distributed stuffing, GraphQL alias-bombs, CRLF log forgery, HTTP/3 parser gaps, WebSocket post-handshake brute force, CGNAT whitelist abuse, and CTI Sybil amplification — name the gaps and the per-account, per-behaviour controls that close them.

SOC · Detection eng Read →
Common SaaS-tenant Misconfigurations
Identity 2026-04-29 7 min read

How five common SaaS-tenant misconfigurations compound into account takeover — and the dependency graph every tenant owner should walk

Across 412 Microsoft 365, Google Workspace, and Salesforce tenants, 67 (16%) carried all five settings at once: admins exempt from MFA, personal-email recovery, 8-plus-hour sessions, ungated OAuth, and no consent-grant alerts. Each is individually defensible — break-glass on-call, vendor defaults, end-user convenience — which is exactly why they accumulate. The chain runs phish to admin refresh-token in fifteen minutes; remove any one node and it breaks. Flat checklists hide the path. The dependency graph shows which single remediation kills the most chains.

AppSec · AppSec lead Read →
48-hour CISA-KEV Retest Cadence
Validation 2026-04-28 7 min read

What a 48-hour CISA-KEV retest cadence actually catches — and why quarterly-pentest economics are over

CISA added 187 KEV entries in Q1 2026. The median gap between a customer's incident and the KEV add date was 11 days. The median gap to their next monthly scan was 14 days. Customers were getting breached in the window quarterly-pentest economics created. The class persists because monthly cadence is a billing artifact, not an engineering constraint — modern scan engines finish in under an hour. The operational answer: KEV-feed-triggered retest for every customer within 48 hours. Verifiable security.

CISO · Strategic read Read →
FIM Stack Trust Probably
Detection 2026-04-26 15 min read

The FIM Stack You Trust Is Probably Blind to Every Modern Bypass

Eight composite-bypass tests that walk through every major way modern Linux post-exploit primitives slip past AIDE, Samhain, OSSEC, and Wazuh-FIM in compound. The FIM stack you installed five years ago to satisfy PCI 11.5 was probably never tuned for memfd_create, bpffs persistence, transient systemd timers, or initramfs tampering. This is what to check today.

SOC · Detection eng Read →
CPanel CVE-2026-41940
AppSec 2026-04-26 9 min read

cPanel CVE-2026-41940: 70 Million Domains, One Session-Loading Bug, Zero Auth

cPanel authentication bypass CVE-2026-41940 was actively exploited in the wild for weeks before watchTowr's disclosure on 29 April 2026. The bug: a session-loading flaw that prior reporters filed and got marked 'low-priority session-cookie hardening.' 70 million domains run cPanel/WHM. Here is the Proof Capsule, the magic-token semantics, and what the FP-rejection pattern cost.

AppSec · AppSec lead Read →
Consumer Signing-key Forged
Identity 2026-04-25 9 min read

How one consumer signing-key forged tokens for 25 enterprise tenants — and the cross-tenant key-lineage audit that catches the next one

Storm-0558 lifted a 2016 Microsoft consumer signing key out of a 2021 crash dump that never should have left the signing environment, then forged enterprise OWA tokens for 25 tenants — including State and Commerce — without stealing a password or defeating an MFA prompt. It worked because crash-dump redaction trusted itself, the debug environment treated live keys as harmless artifacts, OWA validation merged consumer and enterprise JWKS at one layer, and a retired key kept validating into 2023. Architecture diagrams aren't security controls; cross-realm validation tests are.

CISO · Strategic read Read →
Cross-Team Attack Vectors
Detection 2026-04-24 8 min read

Cross-Team Attack Vectors: When Web Findings Predict the Cloud Breach

Web-app findings and cloud-config findings get reviewed by separate teams in most orgs. Our chain-correlation engine surfaces a recurring pattern: the SSRF you ignored last quarter is the IAM credential exfil you'll discover next quarter. Here's the data.

CISO · Strategic read Read →
2026 Open-Source Endpoint
Detection 2026-04-23 12 min read

The 2026 Open-Source Endpoint Defender Coverage Map

We measured eleven open-source endpoint defenders against 220 attack angles. Stacking more tools narrows your visibility differently than the marketing suggests. Here is the map.

SOC · Detection eng Read →
Every Session Cookie Password
Identity 2026-04-23 7 min read

Why every session cookie is a password — and the three operational rules that stop the next HAR-file leak

In October 2023, attackers pulled active Okta admin session cookies out of 134 customer HAR files and replayed them into 1Password, Cloudflare, and BeyondTrust — no password, no MFA, just a bearer token the protocol cannot tell apart from its owner. The class persists because RFC 6265 makes session cookies fungible by default, browsers ship a one-click HAR exporter, and L1 support routinely asks customers to email those captures. Three operational rules end it: ban HAR uploads, bind sessions to a network or device signal, shrink admin lifetimes hard.

AppSec · AppSec lead Read →
Deserialisation-in-admin-endpoint Pattern Ships
AppSec 2026-04-22 7 min read

The deserialisation-in-admin-endpoint pattern that ships in every managed-file-transfer product — and the request-boundary rule that ends the class

Three managed-file-transfer vendors. Three pre-auth RCEs. Three Cl0p campaigns and 2,700 victim organisations. MOVEit, GoAnywhere, and Cleo each shipped the same architectural shape: an internet-facing admin plane, a serialised-object protocol, a permissive partner-API design, and a slow patch cadence. The fourth vendor is already in production. The class-killer is a request-boundary rule — no deserialisation of untrusted bytes on any path reachable from an unauthenticated handler, plus an identity-aware proxy in front of every management plane.

AppSec · Engineering lead Read →
Months Watching Single Customer
Detection 2026-04-21 6 min read

What three months of watching a single customer domain on four underground forums actually shows — and the four signals worth alerting on

Twelve weeks, 612 customer domains, 73 hits across XSS.is, Exploit.in, BreachForums Mirror, and four IAB-adjacent Telegram channels. Forty-one percent stale, 22% combo lists, 19% PII dumps, 18% fresh-access listings. The 18% slice is the only one worth paging on, and most commercial dark-web monitoring tools never index the rooms it lives in. We also surfaced the contractor-domain blind spot: 12 of 13 fresh-access listings named third-party staff, not the customer's own employees.

CISO · Strategic read Read →
CRLF Account Takeover
AppSec 2026-04-20 8 min read

From CRLF to Account Takeover: A 5-Step Chain We Found in 38 Companies

A header-injection bug nobody patches connects to a session-fixation pattern most apps still ship. We found this 5-step exploitation chain on 38 of 612 companies we scanned in February. Here's the chain, the prevalence data, and the fixes.

AppSec · AppSec lead Read →
Stolen Citrix Credential Became
Identity 2026-04-18 8 min read

How one stolen Citrix credential became 9 days of unobserved lateral movement — and the gateway-MFA contract every healthcare org owes itself

The full BlackCat forensics on Change Healthcare cleared litigation review in March 2026. The kill chain is plain: a $200 stealer-log Citrix cred, a single-factor gateway, nine days of lateral movement, 6 TB of PHI exfiltrated through cloud uploads and DNS tunneling, then 8,500 hosts ransomed. It persists because gateways are still trusted edges, service-account credentials cache broadly, and DLP blocks reputations instead of detecting volume. The answer is phishing-resistant MFA on every external auth surface plus seven concrete checks every healthcare CISO can run this week.

CISO · Strategic read Read →
MFA-push Replay Turns Approval
Identity 2026-04-14 3 min read

How MFA-push replay turns one approval into all-day access — and the challenge-binding rule that ends the class

CVE-2026-7491 (CVSS 8.1) lets an attacker replay one captured Okta Verify push approval inside a 120-second window and walk past MFA without a second prompt. The bug persists because Okta Classic responses were never bound to the originating challenge, and most modernized tenants still leave Classic-compatible fallback paths enabled for legacy SAML apps. The fix is operational: force Okta Verify update, finish Identity Engine migration, kill Classic Sign-On Policies, and run a replay drill against staging before declaring done.

AppSec · AppSec lead Read →
Admission-webhook Trust Gives
Cloud 2026-04-13 3 min read

How admission-webhook trust gives attackers a one-packet path to cluster-admin — and the namespace-isolation rules that end the class

CVE-2025-1974 is a 14-month-old patch that 73,000 internet-reachable Kubernetes control planes are still running unfixed. The ingress-nginx admission webhook parses attacker-controlled annotations through a template that executes shell, then hands the controller's cluster-admin service-account token to whoever lands a single AdmissionReview packet on port 8443. We walk the five-hop chain from unauth packet to every secret in the cluster, and the NetworkPolicy plus version pin that closes the entire class.

Cloud security · Cloud lead Read →
Default Checkout Setting Turns
Supply Chain 2026-04-11 3 min read

How a default checkout setting turns any forked PR into write access on your main branch — and the three CI hygiene rules that close it

CVE-2026-29901 is the actions/checkout default-configuration footgun every CI tutorial steps on: persist-credentials true plus a pull_request_target trigger means a forked pull request runs attacker-authored code with write access to your main branch. Three mid-size open-source projects woke up in March 2026 to unexpected commits. We walk the four-step token-extraction chain, the exact before-and-after workflow diff, and the three CI hygiene rules — pin to commit SHA, split untrusted-code workflows, never combine secrets with pull_request_target — that close the class.

AppSec · Engineering lead Read →
Attackers Turn Order-total Trust
AppSec 2026-04-09 4 min read

How attackers turn order-total trust into one-dollar checkouts — and the server-side authority pattern that ends the class

Every e-commerce stack ships the same anti-pattern: the storefront computes a totals snapshot, the server accepts it, and the payment processor charges whatever the server forwards. CVE-2026-9876 is the WooCommerce instance — a one-dollar charge against a five-hundred-dollar cart — but the class spans Magento, Shopify apps, Salesforce Commerce, and every checkout extension that honours a client-supplied totals block. The fix is server-side authority on every price-bearing field, recomputed before the capture call. One pattern, every checkout, ends the class.

AppSec · AppSec lead Read →
Middleware-bypass Headers Turn
AppSec 2026-04-06 3 min read

How middleware-bypass headers turn one CVE into every admin page on your site — and the request-shape audit that catches the class

Frameworks ship internal-subrequest headers to track recursion across middleware chains. When the verifier trusts that header without origin-binding it to the runtime, any external client can claim to be an internal subrequest and skip every auth gate the middleware stack was supposed to enforce. CVE-2026-29155 is the canonical Next.js case, but the same trust-the-header bug recurs in Express, NGINX rewrites, and any reverse-proxy chain. The class-killer is a request-shape audit that strips internal headers at the boundary.

AppSec · AppSec lead Read →
Webhook Signature Timing Oracles
Validation 2026-04-04 4 min read

How webhook signature timing oracles let attackers forge payment events — and the constant-time validation contract that ends the class

CVE-2026-22814 turns a one-character sloppiness — == instead of a constant-time compare — into a forge-any-Stripe-event timing oracle on a public webhook endpoint, no auth required. Sansec watched ~$180K in free-of-charge orders ship before the merchant reconciled against the dashboard. The class persists because hand-rolled middleware skips the SDK helper, and 'we simplified the signature check during a migration' never gets a code review. The fix is a constant-time comparator and a grep across every webhook receiver. Find. Prove. Fix. Verify.

AppSec · Engineering lead Read →
Two-year Social-engineering Grooming
Supply Chain 2026-04-01 7 min read

How a two-year social-engineering grooming attack ships a kernel-grade backdoor — and the four maintainer-trust signals you can audit today

The XZ Utils backdoor (CVE-2024-3094) is the most sophisticated supply-chain attack ever publicly documented against open-source infrastructure, and it almost made it into stable Debian, Ubuntu, and Fedora. The attacker spent two years grooming a single overworked maintainer with sockpuppet pressure campaigns before staging a build-time IFUNC hook that turned every patched sshd into a pre-auth remote shell. We walk the timeline, the four maintainer-trust signals our supply-chain integrity scanner audits today, and why a 500ms SSH delay was the only thing that saved the Linux ecosystem.

AppSec · Engineering lead Read →
91 SAST Findings Wrong
Validation 2026-03-27 7 min read

Why 91% of SAST findings are wrong — and what verifiable validation does instead

Ghost Security found 91% of SAST findings are false positives — 99.5% on Python/Flask command injection. The class persists because pattern-matching tools can't see runtime context, framework sanitization, or reachability, so they flag every theoretical source-to-sink path. Defenders drown, real bugs get buried, developers learn to ignore the queue. The operational answer: reachability analysis plus AI triage plus manual validation, until the rate the engineer sees is the rate that's actually exploitable. Verifiable security.

CISO · Strategic read Read →
Attackers Chain Missing Security
AppSec 2026-03-25 6 min read

How attackers chain missing security headers for click-to-takeover — and the five header settings that close the class

Missing security headers are not a hygiene checklist. They are a chain: weak HSTS lets the attacker downgrade, weak CSP lets injected script execute, missing X-Frame-Options lets a transparent iframe steal the click, weak Referrer-Policy leaks the session URL, and a missing X-Content-Type-Options header turns a user-supplied upload into a typed script. The five-header configuration that ends the chain is one config block, takes under an hour to deploy, and structurally closes click-to-takeover against your SaaS.

AppSec · AppSec lead Read →

Get the next attack-research piece by email.

One piece every two weeks. Attacker-decision-first, defender-action-driven, sourced against public threat data. No vendor noise, no upsell letters. Proof beats promises.

One email every two weeks. Unsubscribe in one click. We do not share your address.