AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

Services

Platform

Industries

Events

Resources

About

Get Started

Services Overview

Pen Testing Overview

A modern approach to cybersecurity that combines automated testing tools with human expertise to identify all your vulnerabilities.

AI/LLM Security Assessment

Application Penetration Testing

• AI-Powered Penetration Testing

• Mobile Application Assessment

• Secure Code Review

Cloud Security

Product Security

Network Security

• External Pen Testing

• Internal Pen Testing

Partner Assessments

• CASA & MASA

• Oracle Assessment

• ioXt Alliance Certification

CTEM Overview

Identify, prioritize and resolve business-impacting exposures through managed services that support and strengthen your CTEM program.

Attack Surface Discovery

Attack Surface Testing

Emerging Threats

Red Team & Readiness Overview

Get a holistic view of your ability to defend against a real-world attack.

Red Teaming

• Social Engineering

• Ransomware Readiness

IR Tabletop Exercises

Cosmos Platform

Meet Cosmos: The continuous offensive security platform designed to provide proactive defense.

Cosmos AI Engine

Introducing Cosmos AI, the engine behind AI-Powered Penetration Testing.

Featured Report

gigaom leader attack surface management radar 2026

Bishop Fox Named Leader & Fast Mover in the 2026 GigaOm Radar!

Get an overview of the Attack Surface Management (ASM) market — and learn why Bishop Fox was named a leader and Fast Mover by the analysts at GigaOm.

Get The Report

See how we help teams in these industries stay ahead of real attackers. More sectors supported than listed.

Energy & Utilities Industry

Financial Industry

Health Plans

Healthcare Industry

Media & Entertainment Industry

Trusted Partner Network (TPN)

New Alliance

Bolstering the Financial Sector Cyber Resilience!

Bishop Fox is an FS-ISAC Affiliate Partner helping members strengthen resilience with adversary-driven offensive security—from penetration testing to red teaming—designed to protect financial operations, support regulatory expectations, and defend customer trust.

See Program's Benefits

See All Events

We actively contribute to and participate in the cybersecurity community. Come see us at an upcoming industry event or tune into one of our speaking gigs, past or present!

Conferences

Technical Briefings

Virtual Sessions

Workshops & Training

Executive Briefings

Community Events

Featured Session

Red Teaming: Is your security program ready for the ultimate test?

Learn why traditional penetration testing fails on LLMs. Join Bishop Fox’s Brian D. for a deep dive into adversarial prompt exploitation, social engineering, and real-world AI security techniques. Rethink how you test and secure today’s most powerful models.

Watch Now

See All Resources

Explore offensive security resources, from detailed reports and step-by-step guides to expert-led webcasts and live sessions, all designed to keep you informed and ahead.

Blog

Customer Stories

Bishop Fox Labs

Open-Source Tools

Workshops & Training

Cybersecurity Style Guide

Featured Report

Bishop Fox Named Leader & Fast Mover in the 2026 GigaOm Radar!

Get an overview of the Attack Surface Management (ASM) market — and learn why Bishop Fox was named a leader and Fast Mover by the analysts at GigaOm.

Get The Report

Company Overview

We’ve been in the offensive security space for almost two decades, and we’re proud to be home to the innovators, engineers, and exploit writers behind some of the most widely used and respected security tools, techniques, and research in the industry.

Customers

Partner Program

• Become a Partner

• Partner Assessment

Newsroom

Career Opportunities

Educational Programs

We’re Hiring

Want to Work with the Best Minds in Offensive Security?

Hack the Planet. Have Fun Doing It. Be part of an elite team and work on projects that have a real impact.

Explore Openings

Services

Services Overview

COSMOS

Events

Resources

About

Get Started

Offensive
Security Blog

Expert insights on offensive security, AI vulnerabilities, and emerging threats from Bishop Fox's leading security researchers and penetration testers.

Advisories Culture Security Perspectives Product Technical Research View All

Technical Research

Reports from the Field: Part 1

Mar 1, 2022

In this three-part series, we’ll describe real-world examples that showcase how perceived ‘low-risk’ vulnerabilities can turn into critical, business-impacting issues – especially through attack chaining.

By Wes Hutcherson

Security Perspective

Cloud 9: Top Cloud Penetration Testing Tools

Feb 24, 2022

You spoke, and we listened! Earlier this year, we asked what pen testing tool list we should publish next. A list that focused on the cloud was the clear crowd favorite. So that being said, here are nine of our favorite tools for cloud pen tests.

By Britt Kemp

Technical Research

Never, Ever, Ever Use Pixelation for Redacting Text

Feb 15, 2022

You can’t read what pixelated text says... right? Think again; Dan Petro explains how pixelation works, why it’s a terrible redaction technique, and how our tool Unredacter can actually reverse pixelated text.

By Dan Petro

Culture

CactusCon 10: Five Security Talks to Watch

Feb 10, 2022

Check out a few of our favorite talks from CatcusCon 10.

By Britt Kemp

Culture

Music To Hack To: Volume 2

Feb 2, 2022

We open-sourced our list by asking some of our Discord members to contribute their favorites in addition to folks in the Fox Den.

By Britt Kemp

Security Perspective

Perceptual Analysis: A Look at Bishop Fox’s New Technology Patent

Jan 26, 2022

We’ve achieved a significant milestone in transforming the offensive security space with the recent patent grant award of our innovative technique known as perceptual analysis (US Patent No. 11,218,496). Get the technical details of our patent and learn more about perceptual analysis.

By Joe Sechman

Technical Research

Creating an Exploit: SolarWinds Vulnerability CVE-2021-35211

Jan 13, 2022

Sometimes, our Cosmos team creates custom exploits for particular CVEs as requested by clients. In this case, Carl Livitt created an exploit for CVE-2021-3521; here, he shares his thought process behind creating a ROP-based exploit for Serv-U FTP v15.2.3.717 on modern Windows systems.

By Carl Livitt

Technical Research

Zero-Day Collaboration: Working With Imperva to Eliminate a Critical Exposure

Jan 11, 2022

The Bishop Fox Cosmos Adversarial Operations experts identified a WAF rule bypass in the Imperva Cloud Web Application Firewall. Discover how offensive and defensive security organizations can combine forces to ensure the best outcomes for organizations and continually improve security.

By Carl Livitt

Security Perspective

Taking Home Gold: The Best InfoSec Talks & Research of the Year

Jan 4, 2022

Lots of research, security talks, and vulnerabilities caught our attention this past year. In this recap, we’ll provide an overview of some of the research we found interesting, some of the talks we found the most compelling, and some of the vulnerabilities we won’t (or can’t) forget anytime soon.

By Britt Kemp

Technical Research

How Bishop Fox Has Been Identifying and Exploiting Log4shell

Dec 27, 2021

Like you, Bishop Fox was racing against the clock to identify as many instance of the Log4j vulnerability for our clients as we could. Take a look at last week's craziness and our testing methodology.

By Dan Petro

Advisory

Log4j Vulnerability: Impact Analysis

Dec 10, 2021

Affecting enterprise software, web applications, and well-known consumer products globally, the CVE-2021-44228 zero-day vulnerability impacts any organization using the Apache Log4j framework. Read our official Bishop Fox response as we unfold and report on Log4j's impact.

By Wes Hutcherson

Technical Research

XMPP: An Under-appreciated Attack Surface

Dec 6, 2021

Misconfigured XMPP (aka Jabber) servers may not be the most common service you encounter during pen tests, but they can prove valuable. Misconfigured XMPP servers are an excellent way to retrieve sensitive data from a company, establish a foothold in their infrastructure, and inform further attacks.

By Zach Julian

Advisory

CATIE Web - Version 20.04.0

Dec 2, 2021

CATIE Web version 20.04 is vulnerable to four local file disclosure vulnerabilities, which enable an unauthenticated remote attacker to read arbitrary files via four separate application endpoints.

By Nate Robb, Dan Ritter

Security Perspective

The Pen Testing Tools We’re Thankful for in 2021

Nov 23, 2021

Searching for a pen testing tool to put to use during a security engagement? Check out our annual list of penetration testing tools our consultants have found helpful during this past year.

By Britt Kemp

Technical Research

Eyeballer 2.0 Web Interface and Other New Features

Nov 15, 2021

Eyeballer, our open source AI-powered tool, just got a few updates. See what that entails and learn how to effectively use the tool.

By Dan Petro

Security Perspective

Continuous Security: Threat Modeling in DevSecOps

Nov 8, 2021

Threat modeling can fit in to a DevSecOps program quite well, as it’s inherently a collaborative exercise between security and development.

By Chris Bush

Security Perspective

9 OSINT Tools For Your Reconnaissance Needs

Oct 29, 2021

There’s no shortage of OSINT tools, techniques, and other resources – in fact, there’s so much stuff, it’s a little overwhelming to try and sort through it all. Writing a “best of” or otherwise “cumulative” list would be a futile endeavor, so instead, we compiled 9 OSINT tools we find useful.

By Britt Kemp

Technical Research

A Snapshot of CAST in Action: Automating API Token Testing

Oct 21, 2021

While investigating our clients’ attack surfaces, I find myself repeating tasks frequently enough to demonstrate a need for automation, yet not frequently enough to justify the time needed to develop an automated solution.

By Zach Zeitlin

Security Perspective

The Code Reveals All: Why Secure Code Review Should be an Integral Part of DevSecOps

Oct 12, 2021

Chris Bush provides a review of why secure code review should be an integral part of every DevSecOps lifecycle and the strategies teams should adopt.

By Chris Bush

Security Perspective

Behind The CTF Guide “Breaking & Entering: A Pocket Guide for Friendly Remote Admins"

Oct 6, 2021

I am happy to announce that the PDF version of that CTF guide is now available for download!

By Andy Doering

Technical Research

An Intro to Fuzzing (AKA Fuzz Testing)

Sep 28, 2021

Learn everything you need to know about fuzzing, including who should fuzz, what types of fuzzers exist, how to write a good harness, and more.

By Matt Keeley

Technical Research

IAM Vulnerable - Assessing the AWS Assessment Tools

Sep 23, 2021

In a follow up to his IAM Vulnerable tool, Seth Art examines the identification aspect of IAM privilege escalation and reviews IAM privesc assessment tools

By Seth Art

Security Perspective

A Review of the 2021 CISA and MITRE Vulnerability Lists

Sep 21, 2021

A review of the 2021 CISA and MITRE Vulnerability Lists to understand their similarities and differences, and share our takeaways.

By Britt Kemp

Technical Research

IAM Vulnerable - An AWS IAM Privilege Escalation Playground

Sep 9, 2021

The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.

By Seth Art

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.