Bluetooth Low Energy Security Testing, Consolidated: Introducing Caeruleus

The Bluetooth Low Energy (BLE) tooling space is fragmented and decaying. Picture a typical BLE testing session: you spin up bettercap to run ble.recon and ble.enum, your trusty (but deprecated) gatttool to read and write handles, and, when it’s time to fuzz that one writable characteristic, dig up that custom Bleak script you copy-paste between […]
GhostPack Necromancy: Reforging C# Tools with WasmForge

In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, […]
FreeBSoD: Leveraging Language Models to Find and Exploit Kernel Bugs (Part 1 of 2)

Overview Earlier this year, a team at Praetorian was building Constantine, our automated 0-day discovery engine. I wanted to find techniques worth folding into it, so on the side I started poking at the FreeBSD kernel with Claude Code, running on Opus 4.6, which was the latest Opus model at the time. A few days […]
Centurion: Bring Your Own Execution Environment

Writing my own virtualized loader is something I’ve been wanting to do since I first read Microsoft’s deep dive on FinFisher’s multi-layered VM obfuscation back in 2018. FinFisher didn’t just use one layer of protection, it implemented a custom virtual machine with 32 opcode handlers, wrapped that in spaghetti code and anti-debug checks, and then buried a second VM […]
Enter the WasmForge: Compiling Sliver into WebAssembly

In our last post we used a Claude skill to systematically beat down VirusTotal detection rates on offensive security tools, with a brief mention of a new loader we’d been using to apply those techniques in bulk. This post is about that loader, which we call WasmForge. WasmForge is, from the user’s perspective, a build […]
Adversarial Oracles: LLM-Guided EDR Signature Reduction

In previous blog posts we’ve talked about getting nerd sniped. Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until […]
Your Login Page Is Lying: What AI Agents Find When They Read Your Frontend

TL;DR: Single-page applications ship their entire frontend codebase to every visitor, including unauthenticated ones. Even a login page with no visible functionality delivers JavaScript bundles containing route definitions, API endpoint URLs, authentication logic, data models, and sometimes hardcoded secrets. As part of Guard’s continuous penetration testing, we use AI-assisted tooling to extract this information and […]
Meet Vespasian. It Sees What Static Analysis Can’t.

Praetorian is excited to announce the release of Vespasian, a probabilistic API endpoint discovery, enumeration, and analysis tool. Vespasian watches real HTTP traffic from a headless browser or your existing proxy captures and turns it into API specifications (OpenAPI, GraphQL SDL, WSDL). We built it because pentesters spend the first days of every API engagement […]
Azure APIM Signup Bypass: 97.9% of Developer Portals Still Exploitable Anonymously and from the Internet

The Azure APIM signup bypass is a critical vulnerability affecting 97.9% of internet-facing Developer Portals. Azure API Management (APIM) exposes APIs to external consumers through a Developer Portal, the interface where developers self-register, obtain API keys, and make API calls. The default APIM configuration ships with Basic Authentication enabled as the identity provider and the […]
When HttpOnly Isn’t Enough: Chaining XSS and GhostScript for Full RCE Compromise

What started as a standard cross-site scripting vulnerability in a document processing platform turned into a full administrative takeover of the application and, ultimately, remote code execution on the underlying server. The HttpOnly flag protected the session cookie from Javascript, but did the application keep it safe? During a recent assessment of a document processing […]