🗓️ Join us for the next exciting episode of runZero Hour on July 16. Register Now!

Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

SSHamble: Exploit SSH protocol vulnerabilities

The runZero research team discovered a range of weaknesses across SSH applications that impact critical network security devices and software. These long standing issues remained undiscovered due to the lack of tooling available – until now!

More about SSHamble

Join us for Hacker Summer Camp!

Join us in Las Vegas, August 4–10, for a week of action at BSides, Black Hat, DEF CON, and more.

We've got six talks to take in and crews in every venue you'll want to visit – it's going to be an epic week with lots of great adventures! We can't wait to see you!

See All Summer Camp Events

Divining Risk: Deciphering Signals From Vulnerability Scores

Vulnerability scores promise clarity, but too often just add to the noise.

We analyzed signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t.

Read the Report
Background Image

runZero Hour • July 16, 2025 • 1PM ET / 10AM PT

Reshaping Security with Open Source: Insights from ProjectDiscovery & runZero

This month, we’re celebrating open source collaboration with the minds behind ProjectDiscovery: Rishiraj Sharma and Sandeep Singh, the co-founders behind the highly effective Nuclei scanner.

Join us for a conversation about how open source is reshaping security and how runZero and ProjectDiscovery are working together to build safer, smarter scanning.

Register Now

Summer Camp Season!

runZero Research on the Road

See us speak in Las Vegas, August 4–10! 

Join us for a wild week of action at BSides, Black Hat, DEF CON, and beyond!

BSides • August 4 @ 11am PDT
Turbo Tactical Exploitation: 22 Tips for Tricky Targets
Join HD Moore as he delivers rapid-fire, practical tips to help you spot valuable targets faster, pivot smarter, and skip the noise. From recon to lateral movement (and everything in between), these techniques are built for speed and getting the most out of every packet, port, and pivot.

Whether you’re on a red team or just want to better understand your exposure, you’ll leave with new ways to spot weak links fast — and exploit them even faster.
Learn More
Diana Initiative • August 4 @ 3pm PDT
Forging Strong Cyber Communities in Uncertain Times
HD Moore and Nicole Schwartz explore what it takes to create and foster robust cybersecurity communities and why we should all get involved in these important initiatives — now more than ever. HD will share insights from developing the open-source Metasploit Project, drawing parallels with the enduring principles of in-person community building that Nicole and her fellow board members rely upon to grow and sustain The Diana Initiative.

Learn strategies for initiating and scaling these networks, discover ways to contribute regardless of skillset, and see why participation is crucial to building collective resilience against evolving cyber threats.
Learn More
Black Hat Arsenal • August 6 @ 11am PDT
Akheron Proxy - Interchip communication serial proxy
Matthew Kienow and Deral Heiland will be at Black Hat Arsenal Station 9 diving into Akheron Proxy, a serial communication proxy application tool designed to connect and proxy serial communication between microprocessors on a hardware circuit board.

See how to capture, decode, replay, and fuzz serial communications flowing between microprocessors on an embedded device circuit board in real time.
Learn More
Black Hat • August 7 @ 2:30pm PDT
Vulnerability Haruspicy: Picking Out Risk Signals from Scoring System Entrails
Join Tod Beardsley, runZero VP of Security Research, as he digs into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities.

Tod will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation. Plus, we'll be unveiling a new tool to help you stay on top of the dynamic and sometimes surprising nature of these scoring systems!
Learn More
DEF CON ICS Village • August 9 @ 3pm PDT
There and Back Again: Detecting OT Devices Across Protocol Gateways
Join Rob King, Director of Applied Research, for a discussion on legacy protocols that are still widely used in the OT world and how devices that speak them are often hidden behind protocol gateways.

Rob will also share creative methodologies for discovering devices on the other side of these gateways safely and effectively. Come jump down the OT rabbit hole with us!
Learn More
DEF CON Main Stage • August 9 @ 3pm PDT
Shaking Out Shells with SSHamble
Secure Shell (SSH) is finally fun again! After a wild two years, including a near-miss backdoor, clever cryptographic failures, unauthenticated remote code execution in OpenSSH, and piles of state machine bugs and authentication bypass issues, the security of SSH implementations has never been more relevant.

This session is an extension of our 2024 work (Unexpected Exposures in the Secure Shell) and includes new research as well as significant updates to our open source research and assessment tool, SSHamble.
Learn More

Talk

BSidesSF: Charting the SSH Multiverse with HD Moore

The Secure Shell (SSH) is the most commonly exposed dedicated management protocol, second only to HTTP in terms of internet-wide exposure, and it’s had a rocky year. This presentation explores the multitude of SSH implementations, their specific weaknesses, and real-world exposures.

Watch Now

Keynote

NSEC: A Pirate's Guide to Snake Oil & Security

Watch as HD Moore takes you on a satirical voyage through the crowded world of vulnerability management. From clashing tribes to competing frameworks, HD examines how defenders can navigate vendor claims and hype to uncover what actually works.

Watch Now

On-Demand

Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps. They also explore how exposure management offers a fundamentally different approach that’s better suited for today’s evolving threat landscape.

Watch Now
Background Image

Research Report: Volume 1

Uncovering Alarming Gaps & Unexpected Exposures

The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.

Download the Report

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour, Ep. 19: Mission: Contextualize – LLMs, MCP, and the Future of Vulnerability Intelligence
Jerry Gamblin joins us for a deep dive into today’s vulnerability landscape — from CVE trends and statistics to the launch of his new MCP (Model...
Watch Now
Webcasts
runZero Hour, Ep. 18: Unpacking vulnerability scoring systems with EPSS expert Jay Jacobs
Vulnerability scoring expert Jay Jacobs joins us for an insightful session exploring how scoring systems like CVSS, EPSS, and SSVC signal risk —...
Watch Now
Webcasts
runZero Hour, Ep. 17: The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join Tod Beardsley and Rob King for a deep dive into the future of exposure management.
Watch Now
Webcasts
runZero Hour, Ep. 16: Handling EOL’d operating systems, runZero Starlink integration, and more!
Former CISA Section Chief and now VP of Security Research at runZero Tod Beardsley shares insights on handling end-of-life operating systems like...
Watch Now
Webcasts
runZero Hour, Ep. 15: Network topology, detailed fingerprinting and MODBUS love
On this episode of runZero Hour, Rob King and Tom Sellers welcome Brianna Cluck, researcher extraordinaire from GreyNoise Intelligence, covering a...
Watch Now
Webcasts
runZero Hour, Ep. 14: Introducing Inside-Out Attack Surface Management
New inside-out attack surface management capabilities, tips for discovering elusive TLS and SSH stacks, a deep dive on the iSCSI protocol, and new...
Watch Now
Webcasts
runZero Hour, Ep. 13: Anniversary episode reflecting on 2024 through the lens of IT-OT/IoT convergence
In this special anniversary episode we gathered an all-star panel of cybersecurity experts to look back on 2024 through the lens of IT-OT/IoT...
Watch Now
Webcasts
runZero Hour, Ep. 12: A deep-dive into OT devices, protocols, and vulnerabilities
In this month’s episode of runZero Hour, we take a deep dive into new research insights on OT devices, protocols, and vulnerabilities.
Watch Now
Webcasts
runZero Hour, Ep. 11: A CISA insider's perspective on managing the KEV catalog
Tod Beardsley, CISA cybersecurity expert offers an insider’s look into CISA’s mission and management of the Known Exploited Vulnerabilities (KEV)...
Watch Now
Webcasts
runZero Hour, Ep. 10: RDP security, ATG & PC-WORX OT protocols
We dug into the details of three different protocols, and explored how our exceptionally creative customers help drive innovation in our platform.
Watch Now
Webcasts
runZero Hour, Ep. 9: (SSHamble Edition)
Didn't make it to DEF CON 32? We got you! This episode of runZero Hour explores all things SSH, including our new open-source tool: SSHamble.
Watch Now
Webcasts
runZero Hour, Ep. 8: Kaspersky Ban, Energy Sector & regreSSHion
The latest insights (and opinions!) on the impending US ban of Kaspersky products, the FBI's warning for threats against the renewable energy...
Watch Now

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
Out-of-Band, Part 1: The new generation of IP KVMs and how to find them
We begin the series exploring security risks of OoB management devices like BMCs, serial console servers, and IP-enabled KVMs, and share how to...
Read More
runZero Research
CVSS, EPSS, and SSVC: How to Read Between the Vulnerability Scores
Learn about strengths and limitations of each scoring systems – and how to best leverage them inform your triage strategy.
Read More
runZero Research
Labelling for End-of-Life Consumer IoT
IOT labelling is back on the menu, but how to actually do it is still tricky.
Read More
runZero Research
RDP security: The impact of secure defaults and legacy protocols
Explore the evolution of the Remote Desktop Protocol to become secure by default and learn how to audit your environment for risky RDP configurations.
Read More
runZero Research
Proven fingerprinting techniques for effective attack surface management
Precise asset identification is critical for effective cyber asset attack surface management. See how runZero’s techniques are unmatched.
Read More
runZero Research
How to detect SSH key reuse
Unmanaged SSH keys leaves networks vulnerable to cyber attacks. Learn how Zero helps with auditing SSH keys to reduce unnecessary exposures on your...
Read More
runZero Research
End-of-life assets: managing risks in outdated technology
Outdated assets create a more accessible entry point for attackers to exploit your attack surface. Learn how the runZero Platform effectively...
Read More
runZero Research
Cyber asset management in the era of segmentation decay
Network segmentation faces limitations with modern equipment. See how a CAASM approach can improve asset discovery and threat protection.
Read More
Product
How runZero speaks to the TwinCAT 3 Automation Device Specification (ADS) protocol
In industrial automation, TwinCAT 3’s Automation Device Specification (ADS) protocol ensures seamless communication between components and systems....
Read More
runZero Research
Unusual Assets: The riskiest factor in attack surface management
runZero’s research finds outlier assets, even if just slightly unusual, are often significantly riskier than others. The outlier score gives...
Read More
runZero Research
Active Asset Discovery in OT networks: runZero and the NREL/CECA Report
The Cohort 2 report describes how runZero safely discovers devices in a large, complex OT/ICS environment. Learn more about runZero's discovery...
Read More
runZero Perspective
AI in CAASM: The Risks of LLM data in security-critical workflows
Current generation AI tools provide appealing answers but struggle with a crucial challenge: knowing the truth, which poses great security risks.
Read More

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find Wing FTP Server installations on your network
Multiple vulnerabilities were disclosed in certain versions of Wing FTP Server, with evidence of the vulnerability being actively exploited in the...
Read More
Rapid Response
How to find Fortinet assets on your network
Fortinet has issued an advisory for a vulnerability affecting certain versions of their FortiWeb product. Here's how to find affected assets.
Read More
Rapid Response
How to find Phoenix Contact devices on your network
In July 2025, Phoenix Contact disclosed vulnerabilities in certain models and versions of their AC charging controller and PLC firmware.
Read More
Rapid Response
How to find Microsoft SQL Server installations on your network
Microsoft has disclosed three vulnerabilities in certain versions of Microsoft SQL Server. Here's how to find affected assets on your network.
Read More
Rapid Response
How to find Mitsubishi Electric Air Conditioning Systems
A critical authentication bypass vulnerability has been disclosed in Mitsubishi Electric air conditioning systems.
Read More
Rapid Response
How to find Brother printer, scanner and label maker devices on your network
Rapid7 has disclosed eight vulnerabilities in certain models and versions of Brother printer, scanner and label maker devices. Here's how to find...
Read More
Rapid Response
How to find Citrix NetScaler ADC & Gateway instances on your network
Two vulnerabilities were disclosed that impact customer-managed installations of NetScaler ADC and NetScaler Gateway.
Read More
Rapid Response
How to find Progress MOVEit Transfer installations on your network
Progress software disclosed two new vulnerabilities in their MOVEit Gateway product. Here's how to find affected services on your network.
Read More
Rapid Response
How to find Aviatrix Controller on your network
Mandiant recently disclosed two vulnerabilities in Aviatrix Controller. Here's how to find affected assets on your network.
Read More
Rapid Response
How to find Langflow installations on your network
A vulnerability in Langflow is actively being exploited as part of the Flodrix botnet. Here's how to find potentially vulnerable installs.
Read More
Rapid Response
How to find Cisco Identity Services Engine (ISE) installations
A vulnerability has been disclosed in certain cloud-deployed versions of Cisco ISE in AWS, Microsoft Azure, and Oracle Cloud Infrastructure.
Read More
Rapid Response
How to find Roundcube Webmail on your network
A Roundcube Webmail vulnerability would allow a remote, authenticated attacker to perform RCE due to deserialization of untrusted data.
Read More
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Rob King

Director of Applied Research

Rob King is the Director of Applied Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped...

More from Rob King

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

Vice President of Security Research

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infra...

More from todb

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try it Free
© Copyright 2025 runZero, Inc. All Rights Reserved