I got permanently banned from @Hacker0x01. Account deleted. No explanation.
Years of work gone overnight. Submission history, achievements, leaderboard ranks, every contribution I made to the security and crypto ecosystems through HackerOne. Wiped, like I was never there.
Inference Fuzzing with Recursive Prompting: A Practical Methodology for LLM-Driven Code Audits https://t.co/zeiJE4R51l (how we find 0day's with local LLM)
Meet Jarvis, the Iron Man-inspired Claude Code setup steered by @Icare1337 🤖
This self-managing, multi-agent system has turbocharged his Bug Bounty workflow, but one rule remains ironclad: every finding needs human validation 👇
https://t.co/DT0Thig2jI
We just got a new post by @avlidienbrunn on the lab!
He brought it up in the #researchers exclusive chat and we HAD to post it.
Go check it out!
https://t.co/v2yNzTTYNK
How to find 0day using local LLM's and "recursive prompting". I used this approach on a NVIDIA DGX Spark using Qwen 3.6 heretic and LLAMA.cpp with LiteLLM and Openclaw. It successfully analyzed a complex FOSS code base and found a single high-risk RCE 0day.
Go for Security Auditors: Part 2
You’ve cloned the repo. go build ./... passes. Now what?
A guide to finding entry points, mapping attack surfaces, choosing a review strategy, and tooling for your audit.
https://t.co/vIetOrA6fK
We pulled in $117,000 in Chrome bug bounties with simple tricks; on Wednesday, Quang Luong will spill his secrets at the Stanford AI Security Conference:
https://t.co/Fhq0NH13jn
Fun fact: Quang is probably the only researcher in the known universe who still uses Gemini to find bugs.
Before the end of the year, Calif researchers will be presenting at Blackhat USA, Defcon, and Hexacon. We're also hoping to make it to Unprompted AU, OffensiveCon, and Objective By The Sea.
At Black Hat USA, Dionysus Blazakis and the team will walk through the bugs and exploit chain used in the Apple MIE bypass discovered a few months ago.
https://t.co/dfeYJSzFVT
At DEF CON, we will tell the story of hacking software that helps run the Internet backbone.
At Hexacon in Paris, @brucedang and I will give the keynote. Apple announced MIE there last year, so it'll be a fun one. I suspect they only wanted Bruce, but keynotes require a certain amount of professional nonsense, and Bruce is far too honest for that, so I got invited too. My job is marketing, which is to lie without getting caught.
What's wild is that none of this existed at the beginning of the year.
We started with a simple realization: very few people have both deep security expertise and access to the best AI models.
So we went all in and never looked back.
Back in March, we called a company-wide all-hands on a Saturday. The title of the invite was: "AI Tsunami and Our Actions."
I don't want to romanticize overwork, but what we were seeing felt too urgent to wait until Monday.
Then everyone started cooking. The results have been spectacular.
Our research on defeating Apple MIE made it into The Wall Street Journal. We signed major contracts with Anthropic, OpenAI, Google DeepMind, and xAI. While others are celebrating access to the latest models, we've been using them to explore the frontiers of vulnerability research.
In the first half of 2026, we're already surpassing our entire 2025 bookings. Most importantly, we've assembled a top-tier team in record time.
I've read many strategy books, but this is the first time I've witnessed the power of the right strategy at the right time.
Focus is the name of the game. Strategy is deciding what to ignore. For one month and a half, we stopped starting new projects. I've personally shelved a lifelong passion in Vietnam, because it isn't a priority for the company. You can only move fast when you're light.
Several people were upset when we changed direction so abruptly. That's normal. If nobody complains, you probably didn't focus.
Of course, strategy isn't magic. You can make a focused bet and still be wrong. We were fortunate that this one worked out.
None of this would be possible without our partners and supporters across the frontier labs. Thank you.
I'm very excited to share my blogpost series (including PoC code) about a remote, interactionless iPhone exploit over iMessage: https://t.co/9FNpYQIyWE
https://t.co/64V8Yki23Z
Our researchers spent several weeks developing a full Chrome exploit chain and wondered about the current state-of-the-art in this area.
For the benefit of the community, we invited the GOAT of browser exploitation, @5aelo, to share his perspectives on modern browser security and exploitation.
This event will be live-streamed on YouTube and open to everyone.
Submit your questions: https://t.co/OfBzuTV72z
Add to Google Calendar: https://t.co/CX82X9MyO9
Add to Outlook Calendar: https://t.co/mvrKJ7I5HS