Meet Constantine – Find Mythos-level vulnerabilities in your code. It proves them, patches them, PRs them back. Autonomously.

Bluetooth Low Energy Security Testing, Consolidated: Introducing Caeruleus

Isometric BLE devices: a smartwatch, smart lock, earbuds and tracker emitting Bluetooth signals under a red attack glow

The Bluetooth Low Energy (BLE) tooling space is fragmented and decaying. Picture a typical BLE testing session: you spin up bettercap to run ble.recon and ble.enum, your trusty (but deprecated) gatttool to read and write handles, and, when it’s time to fuzz that one writable characteristic, dig up that custom Bleak script you copy-paste between […]

GhostPack Necromancy: Reforging C# Tools with WasmForge

Praetorian promo graphic for WasmForge. A glowing red sword forged on an anvil among shattered older swords. Headline reads Signed Go Binary on the Outside, Rubeus on the Inside, with subtext that WasmForge compiles C# tools to WebAssembly with no CLR, no AMSI, no signatures.

In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, […]

Centurion: Bring Your Own Execution Environment

Writing my own virtualized loader is something I’ve been wanting to do since I first read Microsoft’s deep dive on FinFisher’s multi-layered VM obfuscation back in 2018. FinFisher didn’t just use one layer of protection, it implemented a custom virtual machine with 32 opcode handlers, wrapped that in spaghetti code and anti-debug checks, and then buried a second VM […]

Enter the WasmForge: Compiling Sliver into WebAssembly

In our last post we used a Claude skill to systematically beat down VirusTotal detection rates on offensive security tools, with a brief mention of a new loader we’d been using to apply those techniques in bulk. This post is about that loader, which we call WasmForge. WasmForge is, from the user’s perspective, a build […]

Adversarial Oracles: LLM-Guided EDR Signature Reduction

In previous blog posts we’ve talked about getting nerd sniped. Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until […]

Your Login Page Is Lying: What AI Agents Find When They Read Your Frontend

A login page rendered semi-transparent, revealing JavaScript route definitions, API endpoint URLs, and a highlighted hardcoded secret behind it.

TL;DR: Single-page applications ship their entire frontend codebase to every visitor, including unauthenticated ones. Even a login page with no visible functionality delivers JavaScript bundles containing route definitions, API endpoint URLs, authentication logic, data models, and sometimes hardcoded secrets. As part of Guard’s continuous penetration testing, we use AI-assisted tooling to extract this information and […]

Meet Vespasian. It Sees What Static Analysis Can’t.

Praetorian is excited to announce the release of Vespasian, a probabilistic API endpoint discovery, enumeration, and analysis tool. Vespasian watches real HTTP traffic from a headless browser or your existing proxy captures and turns it into API specifications (OpenAPI, GraphQL SDL, WSDL). We built it because pentesters spend the first days of every API engagement […]

When HttpOnly Isn’t Enough: Chaining XSS and GhostScript for Full RCE Compromise

HttpOnly cookie bypass attack chain diagram showing XSS to GhostScript RCE

What started as a standard cross-site scripting vulnerability in a document processing platform turned into a full administrative takeover of the application and, ultimately, remote code execution on the underlying server. The HttpOnly flag protected the session cookie from Javascript, but did the application keep it safe? During a recent assessment of a document processing […]