đź“ş Live webcast, Jan. 29: How TeamSystem accelerates M&A with runZero Register Now
runZero CAASM

Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

Undead by design: benchmarking end-of-life operating systems

End-of-life operating systems don’t disappear — they persist, widening your attack surface and weakening your defenses.

The latest runZero report uncovers end-of-life operating systems still shambling through U.S. enterprises and millions of assets — revealing the risks that haunt our networks.

Read the Report

How TeamSystem accelerates M&A integration with runZero

TeamSystem grew from 3,000 to 5,000+ employees, and they needed a way to secure new acquisitions without slowing down.

On Jan. 29, join our live webcast to hear how TeamSystem used runZero to accelerate M&A integration, achieving total asset visibility in just hours – not days.

Register Now

On the latest runZero Hour

Exploring offseason resorts & OT networks with Brianna Cluck

In the latest episode of runZero Hour, Rob King and Tod Beardsley chat it up with fan-favorite OT expert Brianna Cluck from GreyNoise Intelligence.

They talk about Brianna’s trials, tribulations, and solutions to setting up a home lab for exploring industrial control systems (ICS) gear, using the metaphor of exploring a semi-abandoned summer resort over the winter break. Rob also has an iron or two in the OT fire (fire is typically undesirable in OT environments, by the way). And as always, Tod and Rob go over the month’s most notable vulnerabilities during the runZero Rapid Response Roundup.

Watch Now Register for the next runZero Hour

Tools built by the Research team

Practical tools to help you find, visualize, and prioritize the exposures that put your network at risk.

Tool
runZeroHound
runZeroHound is an open-source toolkit that converts runZero asset inventories (JSONL format) into BloodHound OpenGraph import files, enabling Cypher-based analysis of real network attack paths.
Learn More
Tool
EPSS Pulse
EPSS Pulse monitors daily score changes so you can zero in on the vulnerabilities that truly matter. Get the context you need to confidently prioritize what poses the greatest risk to your environment.
Learn More
Tool
SSHamble v3: Exploit SSH protocol vulnerabilities
SSHamble uncovers a range of weaknesses in SSH applications that affect critical network security devices and software.
Learn More

Research Reports

In-depth analysis and data-driven insights to help you prioritize risk and strengthen your exposure management program.

Report
Undead by Design
End-of-life (EOL) operating systems remain an underestimated risk for enterprise networks.

This report uncovers EOL operating systems still shambling through U.S. enterprises and millions of assets, revealing the risks that haunt our networks.
Read the Report
Report
Divining Risk: Deciphering Signals From Vulnerability Scores

Vulnerability scores promise clarity, but too often just add to the noise.

We analyzed signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t.

Read the Report
Research Report: Volume 1
Uncovering Alarming Gaps & Unexpected Exposures
The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.
Read the Report

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
The runZero CNA is the newest CVE Numbering Authority!
runZero is now officially a CVE Numbering Authority!
Read More
runZero Research
Winpocalypse: One month later, the zombies are multiplying
We’re just over a month out from the Winpocalypse, where all Windows 10 operating systems technically went end-of-life. Let's talk about it.
Read More
runZero Research
runZero Hour recap: Beyond the veil with end-of-life OSes
In this episode, we talk about everything from current programming languages to mysterious firmware to, of course, the natural process of degrading...
Read More
runZero Research
Windows 10 EOL: A Winpocalypse just like Y2K
The end of Windows 10 is here, and with it comes a surge of exploitable systems. Move fast and find your exposures before attackers do with runZero.
Read More
runZero Research
From legacy to liability: New research report on end-of-life assets
End-of-life (EOL) operating systems don’t just fade away. They linger in enterprise networks like the undead — unchanging, unpatched, and...
Read More
runZero Research
Fast ≠ careless: cutting exposure time without breaking things
This month’s runZero Hour wasn’t just another CVE rundown. We went deeper to uncover what it means to move fast without breaking things.
Read More
runZero Research
Grappling with a post-CVE world
The writing is on the wall: an over-reliance on CVEs and agent-based approaches won’t keep you safe. So what else can you do to regain the upper hand?
Read More
runZero Research
Webcast recap: see + secure everything in your OT environment
A recap of last week’s webcast, where the runZero research team dug into the hard-earned lessons of managing sensitive OT environments.
Read More
runZero Research
runZero Hour, ep. 21 recap: highlights from Hacker Summer Camp
Our top insights, tools and stories from Hacker Summer Camp 2025.
Read More
runZero Research
Introducing EPSS Pulse: monitoring volatility in vulnerability risk
Learn about the origins of EPSS Pulse — the free tool that highlights recent 'fast movers' among EPSS-evaluated, CVE-identified vulnerabilities.
Read More
runZero Research
Reshaping security with open source: runZero's collaboration with ProjectDiscovery
ProjectDiscovery co-founders Rishi and Sandeep joined our research team to explore how open source is driving the next wave of security tooling.
Read More
runZero Research
Out-of-Band, Part 1: the new generation of IP KVMs and how to find them
We begin the series exploring security risks of OoB management devices like BMCs, serial console servers, and IP-enabled KVMs, and share how to...
Read More

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour, Ep. 26: Exploring offseason resorts and OT networks with Brianna Cluck
In the first 2026 episode of runZero Hour, Rob King and Tod Beardsley chat it up with fan-favorite OT expert Brianna Cluck from GreyNoise...
Watch Now
Webcasts
runZero Hour, Ep. 25: The Holiday Hackstravaganza!
Tod Beardsley, Rob King, (and special guests!) look back at 2025’s wildest vulnerabilities, standout research, and make bold predictions for 2026.
Watch Now
Webcasts
runZero Hour, Ep. 24: Attack graphs with runZero and BloodHound!
In this episode, runZero's Tod Beardsley, Rob King, HD Moore and Jared Atkinson, CTO of SpecterOps, dive into the tangled world of modern attack...
Watch Now
Webcasts
runZero Hour, Ep. 23: Beyond the veil with end-of-life OSes
In this episode of runZero Hour Rob King, Tod Beardsley, and captn3m0 (creator of endoflife.date) summon insights from runZero’s latest research...
Watch Now
Webcasts
runZero Hour, Ep. 22: Poking the bear (safely) - our expanded vuln checks
We just added hundreds of new critical remote vulnerability checks to runZero that run safely across all your environments and are way faster than...
Watch Now
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Watch Now
Webcasts
runZero Hour, Ep. 20: Reshaping security with open source: Insights from ProjectDiscovery & runZero
On this episode, we celebrate open source collaboration with the minds behind ProjectDiscovery: Rishiraj Sharma and Sandeep Singh, the co-founders...
Watch Now
Webcasts
runZero Hour, Ep. 19: Mission contextualize – LLMs, MCP, and the future of vulnerability intelligence
Jerry Gamblin joins us for a deep dive into today’s vulnerability landscape — from CVE trends and statistics to the launch of his new MCP (Model...
Watch Now
Webcasts
runZero Hour, Ep. 18: Unpacking vulnerability scoring systems with EPSS expert Jay Jacobs
Vulnerability scoring expert Jay Jacobs joins us for an insightful session exploring how scoring systems like CVSS, EPSS, and SSVC signal risk —...
Watch Now
Webcasts
runZero Hour, Ep. 17: The state of vuln management, our approach, and a deep dive into new risk findings
On this special edition of runZero Hour, join Tod Beardsley and Rob King for a deep dive into the future of exposure management.
Watch Now
Webcasts
runZero Hour, Ep. 16: Handling EOL’d operating systems, runZero Starlink integration, and more!
Former CISA Section Chief and now VP of Security Research at runZero Tod Beardsley shares insights on handling end-of-life operating systems like...
Watch Now
Webcasts
runZero Hour, Ep. 15: Network topology, detailed fingerprinting and MODBUS love
On this episode of runZero Hour, Rob King and Tom Sellers welcome Brianna Cluck, researcher extraordinaire from GreyNoise Intelligence, covering a...
Watch Now

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find Cisco Unified Communications Manager installations on your network
Cisco has reported a vulnerability affecting multiple products used to manage telecommunications, voice, video, and telepresence across various...
Read More
Rapid Response
How to find potentially vulnerable GNU inet-utils telnetd servers on your network
Simon Josefsson has reported a vulnerability in the the GNU inet-utils telnetd server. Here's how to quickly find affected assets on your network.
Read More
Rapid Response
How to find Fortinet assets on your network
Fortinet has issued an advisory describing buffer overflow vulnerabilities in multiple Fortinet products, including FortiOS, FortiSASE, and...
Read More
Rapid Response
How to find n8n on your network
Cyera has reported a critical RCE vulnerability in n8n that could lead to complete system compromise if exploited. Here's how to find affected assets.
Read More
Rapid Response
How to find Ubiquiti UniFi Protect assets on your network
Ubiquiti disclosed multiple vulnerabilities affecting certain versions of the UniFi Protect Application. Here's how to find affected assets.
Read More
Rapid Response
How to find MongoDB instances on your network
MongoDB disclosed an unauthenticated memory leak affecting multiple versions. Successful exploitation could lead to unauthorized information...
Read More
Rapid Response
How to find WatchGuard Firebox appliances on your network
WatchGuard has disclosed that certain versions of its Fireware OS are affected by an out-of-bounds write vulnerability in IKED.
Read More
Rapid Response
How to find HPE OneView instances on your network
HP Enterprise has reported a RCE vulnerability in OneView. Successful exploitation could allow total system compromise. Here's how to find affected...
Read More
Rapid Response
How to find Cisco Secure Email Gateway assets on your network
Cisco has reported a vulnerability in their Secure Email Gateway product, allowing remote, unauthenticated attackers to execute arbitrary code.
Read More
Rapid Response
How to find Gogs installations on your network
Wiz has reported a vulnerability in Gogs, allowing remote, authenticated attackers to overwrite arbitrary files on the vulnerable system.
Read More
Rapid Response
How to find Vercel Next.js instances on your network
A recently disclosed RCE vulnerability in React Server Components affects several React packages and dependent frameworks, including Next.js....
Read More
Rapid Response
How to find Grafana instances on your network
Grafana has issued a security update for a vulnerability found within the SCIM component of their Enterprise product. Here's how to find affected...
Read More

Revisit Hacker Summer Camp!

Relive the highlights of our epic week at Hacker Summer Camp 2025 with talks and interviews across BSides, Black Hat, and DEF CON.

Talks
DEF CON 33 - Shaking out shells with SSHamble (HD Moore)
This session is an extension of our 2024 work and includes new research as well as big updates to our open source research and assessment tool,...
Watch Now
Talks
DEF CON 33 - There and back again: detecting OT devices across protocol gateways (Rob King)
Presented by Rob King at DEF CON 33, this talk discusses techniques for detecting devices on the "other side" of protocol gateways.
Watch Now
Podcasts
The often-overlooked truth in cybersecurity: seeing the unseen in vulnerability management
Sean Martin (ITSPmagazine) speaks with HD Moore about an overlooked truth in cybersecurity: the greatest risks are usually the things you don’t...
Watch Now
Podcasts
You can’t get there from here: why we need a new way to manage exposure
At Black Hat 2025, CyberRisk TV sits down with HD Moore for a no-BS conversation on why vulnerability management is still failing enterprises.
Read More
Talks
Charting the SSH multiverse with HD Moore (BSidesSF 2025)
Watch runZero founder HD Moore, explore the multitude of SSH implementations, their specific weaknesses, and real-world exposures.
Watch Now
Talks
Forging strong cyber communities in uncertain times
HD Moore and Nicole Schwartz explore what it takes to create and foster robust cybersecurity communities and why we should all get involved in...
Watch Now
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Watch Now
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO, runZero

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Rob King

Director of Applied Research, runZero

Rob King is the Director of Applied Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped...

More from Rob King

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

VP of Security Research, runZero

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infr...

More from todb

Matthew Kienow

Vulnerability Researcher

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deploye...

More from Matthew Kienow

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try it Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved