Compass Security
LightNews LightNews
banner
compass-security.com
Compass Security
@compass-security.com
430 followers 1K following 61 posts
Penetration Testing, Red Teaming, Incident Response, Managed Detection, Digital Forensics, Security Training, Managed Bug Bounty, Cyber Training Range
Posts Replies Media Videos
compass-security.com
Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.

🎥Presentation: youtu.be/_ODdwpxXRR4?...

#Security #Pentest #WindowsInternals
Windows Access Tokens - From Authentication to Exploitation
YouTube video by Compass Security
youtu.be
November 4, 2025 at 12:37 PM
compass-security.com
🎉Success. Our #Pwn2own team combined #zeroday bugs to #exploit @home-assistant.io green which earned them $20'000 and 4 pts. Congratz to @bcyrill.bsky.social Emanuele, Lukasz @muukong.bsky.social and @yvesbieri.bsky.social.

Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
October 22, 2025 at 7:57 AM
compass-security.com
So proud. Congratz. This is pwntastic!
thezdi.bsky.social Trend Zero Day Initiative @thezdi.bsky.social · 21d
📢 Confirmed! Emanuele Barbeno, Cyrill Bannwart, Yves Bieri, Lukasz D., Urs Mueller of Compass Security combined an arbitrary file write & cleartext transmission of sensitive data to exploit the @home_assistant Green. Their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own
October 21, 2025 at 5:14 PM
Reposted by Compass Security
thezdi.bsky.social
🧭 Navigation complete! The team from Compass Security just charted a course straight into @home_assistant Green at #Pwn2Own. They head off to the disclosure room to spill how they did it. #P2OIreland
October 21, 2025 at 3:28 PM
compass-security.com
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
compass-security.com
@thezdi.bsky.social #Pwn2own schedule is out. Compass folks have been drawn 3rd to exploit the @home-assistant.io Green for $40,000. 🤞for a #bounty today Tuesday Oct 21st, 5pm (Swiss time). #ethicalhacking

Schedule www.zerodayinitiative.com/blog/2025/20...
Zero Day Initiative — Pwn2Own Ireland 2025: The Full Schedule
Welcome to Pwn2Own Ireland 2025! We have some amazing spooky entries for this year’s contest, and a potential of up to $2,000,000 - including our largest ever single prize for a 0-click in WhatsApp fo...
www.zerodayinitiative.com
October 21, 2025 at 6:13 AM
compass-security.com
Heading to Cork for #Pwn2Own Ireland 🇮🇪. Watch the live draw at 15:00 (Swiss time) to see which target we’ll be taking on 👀🔗 www.linkedin.com/events/pwn2o...
October 20, 2025 at 9:51 AM
compass-security.com
Learn about a FortiProxy Domain Fronting Protection bypass discovered by our analyst @emanuelduss.ch. Details in the advisory: www.compass-security.com/en/news/deta...

Curious how web filters are evaded? Read his blog series: blog.compass-security.com/2025/03/bypa...

#cve #pentest #bypass
Vulnerability in FortiProxy
Security analyst Emanuel Duss identified a vulnerability in FortiProxy.
www.compass-security.com
October 15, 2025 at 11:03 AM
compass-security.com
The leaked LockBit chats give a rare inside look at ransomware ops.

Read our blog for an analysis and lessons for defenders: blog.compass-security.com/2025/10/lock...

#CyberSecurity #Ransomware #LockBit
October 7, 2025 at 7:36 AM
compass-security.com
NIS2 means stricter rules and steep fines.

Penetration testing is key to proving compliance & improving security, uncovering flaws before attackers do.

Our latest blog explains why you need it now: blog.compass-security.com/2025/09/ensu...

#CyberSecurity #NIS2 #Pentesting
September 23, 2025 at 11:19 AM
compass-security.com
The final episode of our Kerberos deep dive is live!

RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.

youtu.be/l97RDnzdrXY?...

#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 6 - Resource-Based Constrained Delegation
YouTube video by Compass Security
youtu.be
September 18, 2025 at 5:19 AM
compass-security.com
Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.

youtu.be/rnhr02eKU0I?...

#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 5 - Constrained Delegation
YouTube video by Compass Security
youtu.be
September 16, 2025 at 6:55 AM
compass-security.com
Episode 4 of our Kerberos deep dive is live. Unconstrained delegation can expose critical credentials. Learn how attackers abuse it. And how to lock down your systems.

youtu.be/_6FYZRTJQ-s?...

#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 4 - Unconstrained Delegation
YouTube video by Compass Security
youtu.be
September 11, 2025 at 5:52 PM
compass-security.com
Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.

youtu.be/56BjmyOTN5o?...

#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 3 - AS-REP Roasting
YouTube video by Compass Security
youtu.be
September 9, 2025 at 1:22 PM
compass-security.com
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.

Find out more here: blog.compass-security.com/2025/09/coll...

#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
compass-security.com
Episode 2 of our Kerberos deep dive is live.

Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...

#Kerberos #ActiveDirectory
Kerberos Deep Dive Part 2 - Kerberoasting
YouTube video by Compass Security
youtu.be
September 4, 2025 at 7:39 AM
compass-security.com
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.

Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!

#Kerberos #ActiveDirectory
September 3, 2025 at 6:39 AM
compass-security.com
Calling all bug hunters! schulNetz by Centerboard AG is now in scope! Help protect over 100k users in schools. Are you ready to make the grade and earn bounties? Program: bugbounty.compass-security.com/bug-bounties... #bugbounty #cybersecurity #ethicalhacking
September 1, 2025 at 7:47 AM
compass-security.com
Passwords are dead, long live passkeys! 🔑

In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.

blog.compass-security.com/2025/08/into...

#Passkeys #CyberSecurity #Authentication
August 26, 2025 at 9:48 AM
Reposted by Compass Security
cybrz.bsky.social
Burp collaborator just got a bunch a new features. Credits go to our @compass-security.com Basel team member, Andreas 🙏
jameskettle.com James Kettle @jameskettle.com · Jul 14
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:
July 15, 2025 at 6:29 AM
Reposted by Compass Security
jameskettle.com
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:
July 14, 2025 at 2:51 PM
compass-security.com
LLM-based vuln hunting just leveled up with xvulnhuntr - a fork of vulnhuntr with support for: C#, Java, Go. Read @rationalpsyche.bsky.social's blog post and go grab the project on GitHub.
blog.compass-security.com/2025/07/xvul...
July 8, 2025 at 8:41 AM
compass-security.com
Exploiting the @ubiquiti.bsky.social AI Bullet camera for #Pwn2Own made us sweat more than once.
But persistence paid off. Our detailed blog post is now live: blog.compass-security.com/2025/06/pwn2...

#penetrationtest #pentest #iot #embedded #cybersecurity
www.compass-security.com/en/services/...
June 26, 2025 at 2:38 PM
compass-security.com
Azure IAM is meant to protect your infrastructure. But misconfigurations do the opposite.
5 critical IAM & Entra ID risks - and how to mitigate them: blog.compass-security.com/2025/06/the-...
June 25, 2025 at 12:18 PM
compass-security.com
Thrilled for #TROOPERS25 Thursday! Emanuele & @yvesbieri.bsky.social share #Pwn2Own wins on #surveillance cams. Method, #exploit, lessons. Drop in, trade war-stories!

Talk: troopers.de/troopers25/t...
Compass pentest: www.compass-security.com/en/services/... #cybersecurity #iot #hw #fw #ot
High-resolution photo of Compass Security’s IoT and industrial penetration-testing workspace: on a light wooden workbench a large-lens, black surveillance camera sits half-disassembled beside its white Synology® housing, revealing the internal printed-circuit board, image sensor and ribbon connectors targeted during firmware extraction and vulnerability analysis. A chaotic web of multicolored diagnostic leads, Ethernet patch cables, alligator clips, UART/serial breakout wires and power adapters snakes across the table, illustrating real-world hardware hacking, fault-injection and secure-boot bypass techniques used in red-team assessments of networked CCTV, smart-factory and critical OT devices. The blue pentagonal TROOPERS25 shield logo occupies the upper-right corner, signalling that this lab scene supports Compass Security’s conference presentation on Pwn2Own-grade research into surveillance-camera exploits, remote-code-execution vectors and zero-day discovery. The image underscores expert penetration-testing methodology—threat modeling, reverse engineering, embedded Linux analysis, secure-element probing and API fuzzing.
June 25, 2025 at 5:59 AM