Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Bishop Fox Labs

Collaborative Analysis. Real-World Impact.

Our offensive security experts are dedicated to finding creative solutions to difficult security problems and then sharing that information freely. 

We believe the only way to advance the state of security is to collaborate with the broader community, and we do our best to contribute tools, research, and knowledge that can improve the security and privacy of data and systems. We hope our work has real impact on real lives. It's what inspires us every day.

Technical Blog Posts Check Out Advisories

Driven by Mission & Vision

We're committed to innovation and openly sharing information.

News Insights

Hear from our security experts on the latest happenings in the news from regulation updates to hacks around the world.

Hear from Experts

Vulnerability Intelligence

Get in-depth insights into the latest vulnerabilities found and explored by our offensive security experts.

Get the Latest

Security Advisories

Dive into the latest security bulletins and advisories curated by our expert team at Bishop Fox, encapsulating cutting-edge insights into the rapidly evolving cybersecurity landscape.

Read the Advisories

Hacking Tools

Augment your cybersecurity capabilities with an arsenal of tools and cutting-edge research, meticulously developed by Bishop Fox's team of seasoned, expert professionals.

Download the Tools

Training Sessions

Watch our training sessions to expand your continued education and give you a leg-up against threat actors in your hacking endeavors.

Watch the Sessions

Technical Guides

Download our detailed technical guides for an advanced look at frameworks, tools, and more.

Download the Guides
left

Expert-driven insights into the latest happenings

News Insights

Interview-style video recordings highlighting one individual that answers a question or discusses a relevant cybersecurity news topic. The goal is to showcase BF thought leadership on newsworthy topics on our website and across our social media channels.

Read More Intelligence
Screenshot of Caleb Gross in a video for News Insights focused on the Invanti vulnerability
Video

News Insights: Boy, that Escalated Quickly - How Zero-Day Disclosures Alter Attacker Strategy

Caleb Gross, Director of Capability Development, gives his insight on the dynamics of exploit creation and execution and what organizations can do to not only mitigate risk from this event, but also stay focused on minimizing exposure across the business.

Learn More
Thumbnail of Bishop Fox Video News Insights X Marks Target featuring Trevin Edgeworth.
Video

News Insights: Does X Mark a Target? with Trevin Edgeworth, Director of Red Team

In light of the recent security breaches involving Bitcoin and SEC’s X account, our Red Team Practice Director, Trevin Edgeworth, analyzes the role of fluctuating security programs in these incidents. He discusses how attackers exploit confusion, communication gaps, and vague policies, and identifies weak points in shared security responsibility.

Learn More
Video player with Trevin Edgeworth, Red Team Practice Director
Video

News Insights: Patch Procrastination with Trevin Edgeworth, Director of Red Team

Bishop Fox's Red Team Director, Trevin Edgeworth, spotlights two notable vulnerabilities - left unpatched for years on end and discusses how unpatched vulnerabilities can wreak havoc on businesses. One, an unpatched six-year-old flaw in Microsoft Office, the other in Google Web Toolkit (GWT), unaddressed for eight years.

Learn More
Video of Alethe Denis, Security Expert - Red Team, discussing 23AndMe Hack.
Video

News Insights: 23AndMe with Alethe Denis, Security Expert - Red Team

Alethe Denis, a Bishop Fox Senior Red Team consultant and Social Engineering expert, reveals her quick-take perspective on what she sees as different about the 23AndMe breach, and how it’s viewed by someone who is a career social engineer.

Learn More
left

In-Depth Findings

Vulnerability Intelligence

Insights include the origins and technical components of the vulnerability, how pen testers can find and exploit the vulnerability, and the relative business impact the vulnerability can have on an organization.

Read More Intelligence
Dark purple background with teal and white neon letter.
Tech

Jan 15, 2024

It’s 2024 and Over 178,000 SonicWall Firewalls are Publicly Exploitable

By Jon Williams

What the Vuln logo in neon and teal letters with dark purple background.
Tech

Oct 27, 2023

Building an Exploit for FortiGate Vulnerability CVE-2023-27997

By Bishop Fox

Dark purple background with purple, teal, and white letters. What the Vuln title with Analysis and Exploitation of CVE-2023-3519.
Tech

Aug 04, 2023

Analysis and Exploitation of CVE-2023-3519

By Caleb Gross

Bishop Fox WTV EDR Bypass OG
Webcast

What the Vuln: EDR Bypass with LoLBins

Watch the second episode of our What the Vuln livestream series as we explore how to bypass endpoint detection and response (EDR) with native Windows binaries to gain advanced post-exploitation control.

Learn More
What the Vuln series with purple background, neon purple, white, and teal letters of title Breaking Fortinet Firmware Encryption and Bishop log in bottom left.
Tech

Aug 02, 2023

Breaking Fortinet Firmware Encryption

By Jon Williams

What the Vuln neon logo with the subtitle: Technical Series Quartely Roundup subtitle and featuring a fox in a hoody pointing to the logo..
Livestream

What the Vuln Series: Quarterly Roundup

Watch the third episode of our What the Vuln technical series as we share the most intriguing vulnerabilities that we encountered in Q2 2023 and how we hacked them.

Learn More
What the Vuln series: Citrix ADC RCE title and vulnerability intelligence tab
Tech

Jul 21, 2023

Citrix ADC Gateway RCE: CVE-2023-3519 is Exploitable, and 53% of Servers Are Unpatched

By Caleb Gross, Jon Williams

Dark purple background What the Vuln neon purple letters and title in blue and white code font letters and numbers.
Tech

Jun 30, 2023

CVE-2023-27997 Is Exploitable, and 69% of FortiGate Firewalls Are Vulnerable

By Caleb Gross

left

Responsible Disclosure Program

Security Advisories

We're proud to participate in Responsible Disclosures, where we expose vulnerabilities identified by Foxes in the course of company-sponsored research or during client engagements.

Explore All Advisories
Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.
Advisory

Jun 20, 2023

TaskCafe, Version 0.3.2 Advisory

By Joan Bono, Luis De la Rosa Hernandez

Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.
Advisory

Apr 13, 2023

WP Coder, Version 2.5.3 Advisory

By Etan Castro Aldrete

Security Vulnerability Gauge showing a low severity reading FileStack Upload Advisory
Advisory

Apr 04, 2023

Microsoft Intune, Version 1.55.48.0 Advisory

By Ben Lincoln

Gauge with medium severity reading for FlowscreenComponents Basepack, Version 3.0.7 Advisory. Mautic Version <=3.2.2 Advisory. eCatcher Desktop, Version 6.6.4 Advisory.
Advisory

Apr 04, 2023

Windows Task Scheduler Application, Version 19044.1706 Advisory

By Ben Lincoln

Gauge showing high severity reading for a security advisory for EzAdsPro “BlackBox” application.
Advisory

Jan 25, 2023

EzAdsPro BlackBox Advisory

By Dan Petro

Training session title: Swagger Jacker Training about improved auditing of OpenAPI Definition Files with the headshot os security consultant Tony West, a Bishop Fox adversarial operator.

LIVE ON YOUTUBE, LINKEDIN, TWITTER

New Tool: Swagger Jacker, Improving Auditing of OpenAPI Definition Files

Discover the power of Swagger Jacker, an open-source audit tool designed to improve inspection of unintentionally exposed OpenAPI definition files for penetration testers.

Watch the On-Demand Session

Try Popular Tools from Bishop Fox

A Hacker's Tool Kit

Swagger Jacker

Improve auditing of OpenAPI definition files.

Swagger Jacker is an audit tool designed to improve inspection of unintentionally exposed OpenAPI definition files.

Get Swagger Jacker

ASMINJECT.PY

Compromise Linux-trusted processes to capture sensitive data.

asminject.py is a code injection tool that compromises Linux-trusted processes and containers.

Get asminject.py

CloudFox

Find exploitable attack paths in cloud infrastructure.

CloudFox is a command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. It currently supports AWS.

Get CloudFox
Get Available Tools
left

Learn from the Experts

Training Sessions

Catch our training sessions whether they are livestreams showcasing how to use Bishop Fox's elite open-source tools, in-depth Discord workshops, or interviews of security influencers and leaders at major conferences like RSA and DEF CON.

Watch the Sessions
Pwing the Domain with Silver Framework with purple and black background.
Livestream

Pwning the Domain with Sliver Framework

Senior security expert Jon Guild demonstrates how to use the Sliver C2 framework to develop advanced offensive security skills. Arm yourself with the knowledge and skills of enumeration, lateral movement, and escalation techniques from first-hand experience in a vulnerable lab environment.

Learn More
Video thumbnail featuring the speaker headshot, Jon Guild, and the title of the webcast: How to Ace the OSEP exam with the Sliver Framework.
Livestream

Ace the OSEP Exam with Sliver Framework

Unlock the secrets of passing the OSEP exam with our senior security expert, Jon Guild. Join us as Jon shares his invaluable tips and tricks for conquering this benchmark exam designed for penetration testers.

Learn More
Purple gradient background with headshot of speaker on left side.
Livestream

OWASP ASVS: Unlocking Stronger Application Security

Join offensive security expert Shanni Prutchi in this livestream as she shares her analysis of the 278 verification requirements listed in OWASP's Application Security Verification Standard (ASVS). Learn how to generate test cases and gain insights to effectively test your applications against the standard.

Learn More
The Art of Hacking neon logo on dark background.
Livestream

The Art of Hacking: Livestream from DEF CON 31

Join us Friday, August 11, 2023 for a livestream from DEF CON 31 to hear seasoned hackers and cybersecurity experts uncover the intricacies of ethical hacking and how the hacker spirit can be harnessed to push the boundaries of technology.

Learn More
The art & science of cuber leadership neon logo on dark purple background.
Livestream

The Art & Science of Cyber Leadership: A Livestream from RSAC 2023

Join us for a livestream from RSA Conference to explore cybersecurity leadership through multiple lenses. Get perspectives from CISOs, industry authorities, cyber-focused investors, and security founders on topics that are top of mind for today’s security leaders.

Learn More
left

Written For Security Practitioners

Technical Guides

Unlock the secrets of cybersecurity with our in-depth technical guides. Delve into advanced frameworks, explore cutting-edge tools, and elevate your digital defenses.

Download the Guides
OWASP ASVS Demystified digital guide on purple lock background.
Guide

OWASP ASVS Demystified: A Practical Guide to Web Application Security Testing

In this technical guide, offensive security expert Shanni Prutchi provides analysis of the entire 278 verification requirements listed in OWASP's ASVS standard to assist in the generation of test cases and provide context to companies looking to test their applications against the standard.

Learn More
Preview cover page of the asminject.py technical guide highlighting the capabilities of it, a Linux code injection security tool.
Guide

asminject.py: Compromise Trusted Linux Processes and Containers

This step-by-step technical guide highlights the capabilities of asminject.py, a code injection tool used to compromise Linux processes and containers.

Learn More
Bishop Fox Penetration Testing Resource Guide preview
Guide

Penetration Testing Resource Guide

This handy guide provides a list of great resources for learning to be a pen tester.

Learn More
Vintage vinyl record sleeve featuring a purple fox with Greatest hits of offensive testing tools in 2022. Greatest Hits: A Compilation of Our Favorite Offensive Testing Tools.
Guide

Greatest Hits: A Compilation of Our Favorite Offensive Testing Tools

What’s better than a Top 10 List? An ultimate guide of all our favorite lists – from red team and cloud penetration tools TO our favorite music to hack to and the best reads for your offensive security journey. We’ve got you covered to level up your penetration testing game with this comprehensive guide of hacking goodies.

Learn More
Illustration of 3 documents next to each other
Guide

Breaking & Entering: A Pocket Guide for Friendly Remote Admins

This user-friendly guide offers a comprehensive offensive security roadmap for sysadmins, penetration testers, and other security professionals.

Learn More
Preview of the Bishop Fox cybersecurity style guide pamphlet on dark purple background.
Guide

Cybersecurity Style Guide v2.0

Designed for security researchers, this guide is an invaluable resource for advice on which cybersecurity terms to use in reports and how to use them correctly.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.