Compass Security's Avatar

Compass Security

@compass-security.com.bsky.social

Penetration Testing, Red Teaming, Incident Response, Managed Detection, Digital Forensics, Security Training, Managed Bug Bounty, Cyber Training Range

409 Followers  |  1,020 Following  |  43 Posts  |  Joined: 21.11.2024  |  1.9664

Latest posts by compass-security.com on Bluesky

Burp collaborator just got a bunch a new features. Credits go to our @compass-security.com Basel team member, Andreas ๐Ÿ™

15.07.2025 06:29 โ€” ๐Ÿ‘ 6    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

14.07.2025 14:51 โ€” ๐Ÿ‘ 19    ๐Ÿ” 7    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 1

Thanks a lot for the mention, @jameskettle.com! Really appreciate your attribution. Huge kudos to the team for the research, dedication, and collaboration that went into this work. Proud to see your efforts recognized. #AppSec #WebSecurity #Pentesting @burpsuite.bsky.social FTW!

15.07.2025 06:25 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

LLM-based vuln hunting just leveled up with xvulnhuntr - a fork of vulnhuntr with support for: C#, Java, Go. Read @rationalpsyche.bsky.social's blog post and go grab the project on GitHub.
blog.compass-security.com/2025/07/xvul...

08.07.2025 08:41 โ€” ๐Ÿ‘ 3    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Indeed. ๐Ÿ˜€

27.06.2025 08:11 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Exploiting the @ubiquiti.bsky.social AI Bullet camera for #Pwn2Own made us sweat more than once.
But persistence paid off. Our detailed blog post is now live: blog.compass-security.com/2025/06/pwn2...

#penetrationtest #pentest #iot #embedded #cybersecurity
www.compass-security.com/en/services/...

26.06.2025 14:38 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Azure IAM is meant to protect your infrastructure. But misconfigurations do the opposite.
5 critical IAM & Entra ID risks - and how to mitigate them: blog.compass-security.com/2025/06/the-...

25.06.2025 12:18 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
High-resolution photo of Compass Securityโ€™s IoT and industrial penetration-testing workspace: on a light wooden workbench a large-lens, black surveillance camera sits half-disassembled beside its white Synologyยฎ housing, revealing the internal printed-circuit board, image sensor and ribbon connectors targeted during firmware extraction and vulnerability analysis. A chaotic web of multicolored diagnostic leads, Ethernet patch cables, alligator clips, UART/serial breakout wires and power adapters snakes across the table, illustrating real-world hardware hacking, fault-injection and secure-boot bypass techniques used in red-team assessments of networked CCTV, smart-factory and critical OT devices. The blue pentagonal TROOPERS25 shield logo occupies the upper-right corner, signalling that this lab scene supports Compass Securityโ€™s conference presentation on Pwn2Own-grade research into surveillance-camera exploits, remote-code-execution vectors and zero-day discovery. The image underscores expert penetration-testing methodologyโ€”threat modeling, reverse engineering, embedded Linux analysis, secure-element probing and API fuzzing.

High-resolution photo of Compass Securityโ€™s IoT and industrial penetration-testing workspace: on a light wooden workbench a large-lens, black surveillance camera sits half-disassembled beside its white Synologyยฎ housing, revealing the internal printed-circuit board, image sensor and ribbon connectors targeted during firmware extraction and vulnerability analysis. A chaotic web of multicolored diagnostic leads, Ethernet patch cables, alligator clips, UART/serial breakout wires and power adapters snakes across the table, illustrating real-world hardware hacking, fault-injection and secure-boot bypass techniques used in red-team assessments of networked CCTV, smart-factory and critical OT devices. The blue pentagonal TROOPERS25 shield logo occupies the upper-right corner, signalling that this lab scene supports Compass Securityโ€™s conference presentation on Pwn2Own-grade research into surveillance-camera exploits, remote-code-execution vectors and zero-day discovery. The image underscores expert penetration-testing methodologyโ€”threat modeling, reverse engineering, embedded Linux analysis, secure-element probing and API fuzzing.

Thrilled for #TROOPERS25 Thursday! Emanuele & @yvesbieri.bsky.social share #Pwn2Own wins on #surveillance cams. Method, #exploit, lessons. Drop in, trade war-stories!

Talk: troopers.de/troopers25/t...
Compass pentest: www.compass-security.com/en/services/... #cybersecurity #iot #hw #fw #ot

25.06.2025 05:59 โ€” ๐Ÿ‘ 8    ๐Ÿ” 5    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

LinkedIn: your job history and your attackerโ€™s roadmap. In his latest blog post, Ivano Somaini shows how malicious actors could mine profiles, badges, and more. Learn from our experienced Social Engineer: blog.compass-security.com/2025/06/link...

11.06.2025 12:20 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Primate traits run deep at Teleboy smart, curious, and always evolving. If that sounds like you, challenge the boundaries of their infra and secure streaming, internet, and phone experience of 400'000+ users. #bugbounty #ethicalhacking #cybersecurity bugbounty.compass-security.com/bug-bounties...

02.06.2025 07:41 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Many CI/CD tools promise to keep your dependencies up to date - but if misconfigured, they can expose your organization. From token leaks to MR hijacks, Jan's latest blog post shows how bad configuration can turn a security tool into an attack vector. ๐Ÿ› ๏ธ๐Ÿ’ฃ

blog.compass-security.com/2025/05/reno...

27.05.2025 07:24 โ€” ๐Ÿ‘ 6    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

In his latest blog post, Marc Tanner @brain-dump.org shows how to bypass BitLocker using BitPixie (CVE-2023-21563) and signed Microsoft components only. Check out the blog post for a PoC and a demo. #BitLocker #RedTeam

blog.compass-security.com/2025/05/bypa...

13.05.2025 12:38 โ€” ๐Ÿ‘ 9    ๐Ÿ” 5    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Post image

Tired of sifting through Entra ID manually? EntraFalcon is a PowerShell tool that flags risky objects configs & privileged role assignments with โšก Scoring model ๐Ÿ“Š HTML reports ๐Ÿ”’ No Graph API consent hassle. Get it now: blog.compass-security.com/2025/04/intr...
#EntraID #IAM

29.04.2025 11:08 โ€” ๐Ÿ‘ 6    ๐Ÿ” 5    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

3 milliseconds to admin โ€” Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post: blog.compass-security.com/2025/04/3-mi...

15.04.2025 09:00 โ€” ๐Ÿ‘ 21    ๐Ÿ” 5    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Vulnerabilities in Ibexa DXP CMS Security analysts Stephan Sekula and Dennis Henke identified vulnerabilities in Ibexa DXP CMS.

Security analysts Stephan Sekula and Dennis Henke identified vulnerabilities in Ibexa DXP CMS: www.compass-security.com/en/news/deta...

14.04.2025 11:36 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

How can I become a Red Team Operator? โ€“ Yours sincerely, A recent graduate.

We break down what it takes and why there's no shortcut, and why pentesting is the place to start: blog.compass-security.com/2025/04/i-wa...

#redteam #infosec #pentest #career

02.04.2025 07:09 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Vulnerabilities in BOINC Server Security researcher Raphaรซl Arrouas (Xel) identified zero-day vulnerabilities in the BOINC server and responsibly reported details through our Managed Bug Bounty Program.

Security researcher Raphaรซl Arrouas (XeL) identified zero-day vulnerabilities in the BOINC server and responsibly reported details through our Managed Bug Bounty Program: www.compass-security.com/en/news/deta...

27.03.2025 08:34 โ€” ๐Ÿ‘ 4    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Post image

Dear #bughunter, gear up! dEURO launches its program. Hunt for vulnerabilities, secure the oracle-free #stablecoin, and get rewarded. #API, mobile apps and solidity contract in scope. Max. bounty at CHF 10'000. Ready to mint your victory? ๐Ÿš€ #DeFi bugbounty.compass-security.com/bug-bounties...

26.03.2025 13:14 โ€” ๐Ÿ‘ 3    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

No system is perfect!

In part 4 of his blog series, @emanuelduss.ch shows how detection mechanisms of web filters can be bypassed: blog.compass-security.com/2025/03/bypa...

#pentest #network

20.03.2025 09:49 โ€” ๐Ÿ‘ 5    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Web filters can often be bypassed in various ways. In part 3 of his blog series, @emanuelduss.ch explains how Domain Fronting works, how attackers use it to evade restrictions and how you can detect it.

Read the blog post to find out: blog.compass-security.com/2025/03/bypa...

#pentest #network

18.03.2025 08:02 โ€” ๐Ÿ‘ 4    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

IT-Security kann stressig sein โ€“ wir sorgen fรผr Entspannung! Besuchen Sie uns auf der #secIT2025 und holen sich eine kleine Auszeit.

#CyberSecurity #ITSecurity #secit #StaySafe

17.03.2025 08:29 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Still think your web filter is secure? Host Header Spoofing might prove otherwise. In part 2 of his post series, @emanuelduss.ch breaks down this bypass technique - how it works and how to stop it. Check it out: blog.compass-security.com/2025/03/bypa...
#pentest #network

13.03.2025 08:04 โ€” ๐Ÿ‘ 4    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Think your web filter is foolproof? Think again. Our blog series explores SNI spoofing, Host header spoofing, and Domain Frontingโ€”techniques attackers use to slip past restrictions. Learn how they work and how to stop them!
blog.compass-security.com/2025/03/bypa...

11.03.2025 11:03 โ€” ๐Ÿ‘ 5    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Post image

Passwords are a thing of the past! Dario Caluziโ€™s latest blog post explains why passkeys are the future of authentication. They offer a faster, more secure way to log in - no passwords, no phishing risks, just seamless authentication.
blog.compass-security.com/2025/02/pass...
#Passkeys #Passwordless

25.02.2025 08:44 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Avoid LDAP monitoring by leveraging local registry data with certipy parse! Check out our latest pull request and read Marc Tannerโ€™s (@brain-dump.org) blog post: blog.compass-security.com/2025/02/stea...

11.02.2025 12:28 โ€” ๐Ÿ‘ 7    ๐Ÿ” 4    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 1
Post image

Die Kunst des Penetrationstests: Von der Risikobewertung รผber die Planungsphase und die rechtlichen Rahmenbedingungen bis hin zur Interpretation der Testberichte - Erfahre, wie du die IT-Sicherheit durch gezielte Tests stรคrkst. Live auf der secIT. ๐Ÿ‘‰ Gleich anmelden: secit-heise.de/tickets#kaufen

07.02.2025 07:05 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Unlock the power of BloodHound Community Edition! ๐Ÿš€ Weโ€™ve updated our custom queries to help you uncover misconfigurations and attack paths in AD. Read @emanuelduss.chโ€™s blog post for tips and tricks to get started.

blog.compass-security.com/2025/01/bloo...

#BloodHoundCE #ActiveDirectory

28.01.2025 15:20 โ€” ๐Ÿ‘ 11    ๐Ÿ” 3    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Zero Day Initiative โ€” Pwn2Own Automotive 2024 - Day Two Results Welcome to Day Two of the first ever Pwn2Own Automotive. We awarded $722,500 yesterday for 24 unique 0-days. Todayโ€™s attempts promise to be just as exciting, with another Tesla attempt at 1300 Japan S...

8 tiny bits kept our team from pwning the Alpine IVI and winning ~$10,000 at #pwn2own #automotive. ๐Ÿฅฒ Their dedication, hard work and late night sessions were unmatched. This is the passionate hacker's journey: trial & error, learning, & growing. ๐Ÿ’ชโค๏ธ
www.thezdi.com/blog/2024/1/...

23.01.2025 14:42 โ€” ๐Ÿ‘ 8    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
Zero Day Initiative โ€” Pwn2Own Automotive 2025: The Full Schedule ใ“ใ‚“ใซใกใฏ and welcome to the second annual Pwn2Own Automotive competition. We are at Automotive World in Tokyo, and weโ€™ve brought together some of the best researchers in the world to test the latest au...

The #Pwn2Own schedule is out. Compass folks will show off their exploit Thursday, January 23th, 10:00 Swiss time (CET). Also wishing bsky user @sinsinology.bsky.social success in pwning the Alpine IVI.

www.zerodayinitiative.com/blog/2025/1/...

21.01.2025 11:36 โ€” ๐Ÿ‘ 8    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

The Compass #Pwn2Own team will be targeting the Alpine iLX-507 In-Vehicle Infotainment at Pwn2Own Automotive #P2OAuto in Tokyo. Turns out itโ€™s a popular target and our colleagues were drawn by @thezdi.bsky.social to attempt an exploit as 8th out of 10 groups targeting the device. Schedule tba

21.01.2025 06:10 โ€” ๐Ÿ‘ 10    ๐Ÿ” 2    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@compass-security.com is following 20 prominent accounts