Offensive Security Blog

Bishop Fox researcher, Jon Williams, explains how they successfully exploited CVE-2024-53704, an authentication bypass in unpatched SonicWall firewalls.

SonicWall-CVE-2024-53704: Exploit Details

Mar 21, 2025

By Jon Williams

A breakdown of CVE-2025-24813 in Apache Tomcat—what it is, who’s actually at risk, and why most users likely aren’t affected. Keep calm and patch your servers.

Tomcat CVE-2025-24813: What You Need to Know

Mar 18, 2025

By Jon Williams

Bishop Fox researchers successfully reverse-engineered the encryption protecting SonicWall SonicOSX firmware, gaining access to the underlying file system.

Tearing Down (Sonic)Walls: Decrypting SonicOSX Firmware

Feb 24, 2025

By Jon Williams

Bishop Fox researchers have successfully exploited CVE-2024-53704, an authentication bypass affecting the SSL VPN component of unpatched SonicWall firewalls.

SonicWall CVE-2024-53704: SSL VPN Session Hijacking

Feb 10, 2025

By Jon Williams

Explores IVR penetration testing methodologies, common vulnerabilities, and strategies to secure these critical systems against modern threats.

From Dial Tone to Throne: IVR Testing in the Spirit of The King of NYNEX

Feb 5, 2025

By Alethe Denis

Culture

Hacking the Norm: Unique Career Journeys into Cybersecurity

Jan 30, 2025

The unique career journeys of Foxes highlight that passion, curiosity, and a willingness to explore can open doors to impactful roles in cybersecurity. Check out a few of their stories.

By Gerben Kleijn, Nathan Elendt, Katie Ritchie

Explore how Bishop Fox integrates critical thinking into Cosmos development to enhance scalability, flexibility, and velocity. By focusing on outcomes and adopting structured analytical processes, we’ve avoided design pitfalls and empowered our teams to deliver impactful solutions.

Cosmos Series Part 4: Results-Oriented Critical Thinking

Jan 21, 2025

By Aaron Symanski

Learn how Bishop Fox's open-source ranking algorithm, raink, can be used to solve general ranking problems that are difficult for LLMs to process.

raink: Use LLMs for Document Ranking

Jan 14, 2025

By Caleb Gross

Review how Red Team insights can shed light on gaps in physical security and play a pivotal role in enhancing workplace security during the continued transition back to office environments as we relearn verification, protocol, and authorization.

Navigating Workplace Security: Red Team Insights for the Return to Office

Jan 10, 2025

By Alethe Denis

Bishop Fox explores the escalating threat of AI-driven deepfakes in social engineering attacks, highlighting their potential to deceive individuals and organizations by impersonating trusted figures through hyper-realistic audio and video fabrications.

Cyber Mirage: How AI is Shaping the Future of Social Engineering

Jan 8, 2025

By Brandon Kovacs

Discover how automation in code integration, deployment, and infrastructure management has streamlined our operations, enhanced deployment velocity, and improved the consistency of our deliverables.

Cosmos Series Part 3: The Importance of Automation

Jan 7, 2025

By Aaron Symanski

This post explores how Bishop Fox transitioned to an outcome-driven approach for Cosmos development, streamlining processes with success criteria, continuous roadmapping, and data-driven prioritization to deliver more impactful customer solutions.

Cosmos Series Part 2: Outcome-driven for Features and Capabilities

Dec 31, 2024

By Aaron Symanski

In 2023, Bishop Fox reengineered Cosmos to give security teams the speed, scale, and flexibility needed to tackle growing attack surface challenges.

Cosmos Series Part 1: Principles for the New Platform

Dec 17, 2024

By Aaron Symanski

Discover Bishop Fox's survey on the current state of SonicWall appliances on the public internet.

Current State of SonicWall Exposure: Firmware Decryption Unlocks New Insights

Dec 13, 2024

By Bishop Fox Researchers

Culture

Our Favorite Pen Testing Tools: 2024 Edition

Dec 12, 2024

It's time for another hacking tool roundup! We’ve polled our team of experts to bring you the most powerful and innovative penetration testing tools.

By Bishop Fox Researchers

Bishop Fox ASM team gives customers a 24-hour head start against critical PAN-OS vulnerability

Bishop Fox ASM Delivers 24-Hour Head Start Against Critical PAN-OS Vulnerability

Dec 9, 2024

By Caleb Gross

Discover Bishop Fox in-depth analysis of SonicWall firewalls, revealing critical insights into firmware security and vulnerability.

Sonicwall Firmware Deep Dive - SWI Firmware Decryption

Dec 2, 2024

By Bishop Fox Researchers

Explore concerns around API security, its unique vulnerabilities, and the need for tailored protection against evolving threats in an API-driven world.

The Growing Concern of API Security

Nov 27, 2024

By Robert Punnett, Nicholas Beacham

Take an in-depth look at multiple approaches to application penetration testing, and the organizational requirements that would favor one approach over another. This blog will explore the different approaches and share key considerations for choosing the best approach for your organization.

Application Pen Testing: Point-In-Time vs Ongoing Approaches Explained

Nov 7, 2024

By Bishop Fox

The recent discovery of FortiJump (CVE-2024-47575) highlights a critical vulnerability exploited in the wild, prompting an urgent need to understand its impact on centralized management devices. Take a deeper look with Bishop Fox experts.

A Brief Look at FortiJump (FortiManager CVE-2024-47575)

Nov 1, 2024

By Bishop Fox Researchers

Culture

Off the Fox Den Bookshelf: Security and Tech Books We Love

Oct 15, 2024

We've polled our team and are back with our 2024 cybersecurity book recommendations to help you level up your cybersecurity skills.

By Bishop Fox Researchers

Walkthrough the GCG attack at a high level and be introduced to Broken Hill – Bishop Fox’s newly-released tool that can perform the GCG attack against a variety of popular LLMs.

Broken Hill: A Productionized Greedy Coordinate Gradient Attack Tool for Use Against Large Language Models

Sep 24, 2024

By Ben Lincoln

Explore how organizations can strategically prepare for and execute TLPT to meet DORA compliance while strengthening overall cybersecurity resilience.

Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing

Sep 17, 2024

By Bishop Fox Researchers