Meet Constantine – Find Mythos-level vulnerabilities in your code. It proves them, patches them, PRs them back. Autonomously.

FreeBSoD: Leveraging Language Models to Find and Exploit Kernel Bugs (Part 2 of 2)

Isometric nested fortress walls with glowing red breach points, illustrating a FreeBSD jail escape and kernel exploit chain

Overview In the first installment of this series, I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038. This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. […]

Knossos: Procedurally Generated Decoy Environments

Praetorian helmet with glowing red eyes looming over a cross-sectioned labyrinth topped by a Greek temple, illustrating Knossos decoy environments that trap attackers.

How we built a procedural engine that learns your real cloud environment, generates decoy environments indistinguishable from production, and converts every attacker interaction into signal. In the myth, Daedalus built the Labyrinth of Knossos so well that he nearly couldn’t escape it himself. The corridors looked real. The paths felt purposeful. And the deeper you […]

GhostPack Necromancy: Reforging C# Tools with WasmForge

Praetorian promo graphic for WasmForge. A glowing red sword forged on an anvil among shattered older swords. Headline reads Signed Go Binary on the Outside, Rubeus on the Inside, with subtext that WasmForge compiles C# tools to WebAssembly with no CLR, no AMSI, no signatures.

In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, […]

Centurion: Bring Your Own Execution Environment

Writing my own virtualized loader is something I’ve been wanting to do since I first read Microsoft’s deep dive on FinFisher’s multi-layered VM obfuscation back in 2018. FinFisher didn’t just use one layer of protection, it implemented a custom virtual machine with 32 opcode handlers, wrapped that in spaghetti code and anti-debug checks, and then buried a second VM […]

Enter the WasmForge: Compiling Sliver into WebAssembly

In our last post we used a Claude skill to systematically beat down VirusTotal detection rates on offensive security tools, with a brief mention of a new loader we’d been using to apply those techniques in bulk. This post is about that loader, which we call WasmForge. WasmForge is, from the user’s perspective, a build […]

When Encryption Isn’t Really Encryption

Padlock sitting outside a transparent box exposing the credential card inside, illustrating Canon printer's broken client-side

Discovery During a recent network security assessment, we were working on an environment that was well-hardened – Patching was current, password policies were strong, and network segmentation was in place. So, as part of our enumeration of all network assets, we started looking for default credentials and this led us to multiple Canon enterprise printers […]

Adversarial Oracles: LLM-Guided EDR Signature Reduction

In previous blog posts we’ve talked about getting nerd sniped. Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until […]

Your Login Page Is Lying: What AI Agents Find When They Read Your Frontend

A login page rendered semi-transparent, revealing JavaScript route definitions, API endpoint URLs, and a highlighted hardcoded secret behind it.

TL;DR: Single-page applications ship their entire frontend codebase to every visitor, including unauthenticated ones. Even a login page with no visible functionality delivers JavaScript bundles containing route definitions, API endpoint URLs, authentication logic, data models, and sometimes hardcoded secrets. As part of Guard’s continuous penetration testing, we use AI-assisted tooling to extract this information and […]

500,000 Vulnerabilities, 14 That Matter: How Exploit Chain Analysis Cuts Through the Noise

Funnel filtering hundreds of vulnerabilities down to a critical few highlighted in red

When 500,000 Findings Hide 14 Real Threats Modern enterprises ingest vulnerability data from dozens of sources: endpoint detection and response platforms, vulnerability scanners, cloud security posture tools, container image scanners. A large organization can easily accumulate hundreds of thousands of individual findings. The standard response is to sort by CVSS score, filter for criticals, and […]