Compass Security
LightNews LightNews
banner
compass-security.com
Compass Security
@compass-security.com
430 followers 1K following 61 posts
Penetration Testing, Red Teaming, Incident Response, Managed Detection, Digital Forensics, Security Training, Managed Bug Bounty, Cyber Training Range
Posts Replies Media Videos
compass-security.com
🎉Success. Our #Pwn2own team combined #zeroday bugs to #exploit @home-assistant.io green which earned them $20'000 and 4 pts. Congratz to @bcyrill.bsky.social Emanuele, Lukasz @muukong.bsky.social and @yvesbieri.bsky.social.

Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.
October 22, 2025 at 7:57 AM
compass-security.com
#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...
October 21, 2025 at 11:38 AM
compass-security.com
Heading to Cork for #Pwn2Own Ireland 🇮🇪. Watch the live draw at 15:00 (Swiss time) to see which target we’ll be taking on 👀🔗 www.linkedin.com/events/pwn2o...
October 20, 2025 at 9:51 AM
compass-security.com
The leaked LockBit chats give a rare inside look at ransomware ops.

Read our blog for an analysis and lessons for defenders: blog.compass-security.com/2025/10/lock...

#CyberSecurity #Ransomware #LockBit
October 7, 2025 at 7:36 AM
compass-security.com
NIS2 means stricter rules and steep fines.

Penetration testing is key to proving compliance & improving security, uncovering flaws before attackers do.

Our latest blog explains why you need it now: blog.compass-security.com/2025/09/ensu...

#CyberSecurity #NIS2 #Pentesting
September 23, 2025 at 11:19 AM
compass-security.com
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.

Find out more here: blog.compass-security.com/2025/09/coll...

#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
compass-security.com
Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.

Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!

#Kerberos #ActiveDirectory
September 3, 2025 at 6:39 AM
compass-security.com
Calling all bug hunters! schulNetz by Centerboard AG is now in scope! Help protect over 100k users in schools. Are you ready to make the grade and earn bounties? Program: bugbounty.compass-security.com/bug-bounties... #bugbounty #cybersecurity #ethicalhacking
September 1, 2025 at 7:47 AM
compass-security.com
Passwords are dead, long live passkeys! 🔑

In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.

blog.compass-security.com/2025/08/into...

#Passkeys #CyberSecurity #Authentication
August 26, 2025 at 9:48 AM
compass-security.com
LLM-based vuln hunting just leveled up with xvulnhuntr - a fork of vulnhuntr with support for: C#, Java, Go. Read @rationalpsyche.bsky.social's blog post and go grab the project on GitHub.
blog.compass-security.com/2025/07/xvul...
July 8, 2025 at 8:41 AM
compass-security.com
Exploiting the @ubiquiti.bsky.social AI Bullet camera for #Pwn2Own made us sweat more than once.
But persistence paid off. Our detailed blog post is now live: blog.compass-security.com/2025/06/pwn2...

#penetrationtest #pentest #iot #embedded #cybersecurity
www.compass-security.com/en/services/...
June 26, 2025 at 2:38 PM
compass-security.com
Azure IAM is meant to protect your infrastructure. But misconfigurations do the opposite.
5 critical IAM & Entra ID risks - and how to mitigate them: blog.compass-security.com/2025/06/the-...
June 25, 2025 at 12:18 PM
compass-security.com
Thrilled for #TROOPERS25 Thursday! Emanuele & @yvesbieri.bsky.social share #Pwn2Own wins on #surveillance cams. Method, #exploit, lessons. Drop in, trade war-stories!

Talk: troopers.de/troopers25/t...
Compass pentest: www.compass-security.com/en/services/... #cybersecurity #iot #hw #fw #ot
High-resolution photo of Compass Security’s IoT and industrial penetration-testing workspace: on a light wooden workbench a large-lens, black surveillance camera sits half-disassembled beside its white Synology® housing, revealing the internal printed-circuit board, image sensor and ribbon connectors targeted during firmware extraction and vulnerability analysis. A chaotic web of multicolored diagnostic leads, Ethernet patch cables, alligator clips, UART/serial breakout wires and power adapters snakes across the table, illustrating real-world hardware hacking, fault-injection and secure-boot bypass techniques used in red-team assessments of networked CCTV, smart-factory and critical OT devices. The blue pentagonal TROOPERS25 shield logo occupies the upper-right corner, signalling that this lab scene supports Compass Security’s conference presentation on Pwn2Own-grade research into surveillance-camera exploits, remote-code-execution vectors and zero-day discovery. The image underscores expert penetration-testing methodology—threat modeling, reverse engineering, embedded Linux analysis, secure-element probing and API fuzzing.
June 25, 2025 at 5:59 AM
compass-security.com
LinkedIn: your job history and your attacker’s roadmap. In his latest blog post, Ivano Somaini shows how malicious actors could mine profiles, badges, and more. Learn from our experienced Social Engineer: blog.compass-security.com/2025/06/link...
June 11, 2025 at 12:20 PM
compass-security.com
Primate traits run deep at Teleboy smart, curious, and always evolving. If that sounds like you, challenge the boundaries of their infra and secure streaming, internet, and phone experience of 400'000+ users. #bugbounty #ethicalhacking #cybersecurity bugbounty.compass-security.com/bug-bounties...
June 2, 2025 at 7:41 AM
compass-security.com
Many CI/CD tools promise to keep your dependencies up to date - but if misconfigured, they can expose your organization. From token leaks to MR hijacks, Jan's latest blog post shows how bad configuration can turn a security tool into an attack vector. 🛠️💣

blog.compass-security.com/2025/05/reno...
May 27, 2025 at 7:25 AM
compass-security.com
In his latest blog post, Marc Tanner @brain-dump.org shows how to bypass BitLocker using BitPixie (CVE-2023-21563) and signed Microsoft components only. Check out the blog post for a PoC and a demo. #BitLocker #RedTeam

blog.compass-security.com/2025/05/bypa...
May 13, 2025 at 12:38 PM
compass-security.com
Tired of sifting through Entra ID manually? EntraFalcon is a PowerShell tool that flags risky objects configs & privileged role assignments with ⚡ Scoring model 📊 HTML reports 🔒 No Graph API consent hassle. Get it now: blog.compass-security.com/2025/04/intr...
#EntraID #IAM
April 29, 2025 at 11:09 AM
compass-security.com
3 milliseconds to admin — Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post: blog.compass-security.com/2025/04/3-mi...
April 15, 2025 at 9:00 AM
compass-security.com
How can I become a Red Team Operator? – Yours sincerely, A recent graduate.

We break down what it takes and why there's no shortcut, and why pentesting is the place to start: blog.compass-security.com/2025/04/i-wa...

#redteam #infosec #pentest #career
April 2, 2025 at 7:09 AM
compass-security.com
Dear #bughunter, gear up! dEURO launches its program. Hunt for vulnerabilities, secure the oracle-free #stablecoin, and get rewarded. #API, mobile apps and solidity contract in scope. Max. bounty at CHF 10'000. Ready to mint your victory? 🚀 #DeFi bugbounty.compass-security.com/bug-bounties...
March 26, 2025 at 1:15 PM
compass-security.com
No system is perfect!

In part 4 of his blog series, @emanuelduss.ch shows how detection mechanisms of web filters can be bypassed: blog.compass-security.com/2025/03/bypa...

#pentest #network
March 20, 2025 at 9:49 AM
compass-security.com
Web filters can often be bypassed in various ways. In part 3 of his blog series, @emanuelduss.ch explains how Domain Fronting works, how attackers use it to evade restrictions and how you can detect it.

Read the blog post to find out: blog.compass-security.com/2025/03/bypa...

#pentest #network
March 18, 2025 at 8:02 AM
compass-security.com
IT-Security kann stressig sein – wir sorgen für Entspannung! Besuchen Sie uns auf der #secIT2025 und holen sich eine kleine Auszeit.

#CyberSecurity #ITSecurity #secit #StaySafe
March 17, 2025 at 8:29 AM
compass-security.com
Still think your web filter is secure? Host Header Spoofing might prove otherwise. In part 2 of his post series, @emanuelduss.ch breaks down this bypass technique - how it works and how to stop it. Check it out: blog.compass-security.com/2025/03/bypa...
#pentest #network
March 13, 2025 at 8:04 AM