Simply stated: Give us any kind of app and we'll hack it better than the rest.
Our clients include awesome tech companies in Silicon Valley, NYC, and beyond.
Do you use or exploit WebSockets? Check out our new blog post to see how modern browsers may (or may not) be protecting you from Cross-Site WebSocket Hijacking!
https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/
New research🤩 on old tech👴! Our team's latest blog post demonstrates many ways memory vulnerabilities can occur in your legacy Delphi code despite being described as a "memory safe" language by the NSA.
https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/
New blog! Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. Well-documented behavior is not always what it appears!
https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documentation-for-security-footguns/
Who hacks the hackers? We do!
Our new research on vulns in C2 frameworks used by netpen and red teams.
https://blog.includesecurity.com/
Fresh blog post for ya!
We introduce coverage-guided fuzzing as a concept to hunt down bugs faster via modification of the Fuzzilli fuzzer from Google Project Zero.
https://blog.includesecurity.com/2024/04/coverage-guided-fuzzing-extending-instrumentation/
We're glad everybody enjoyed our April fool's joke for 2024. See you can be serious about security but also have fun!
We released our new semgrep rules today. Given the recent news about executive orders from the Whitehouse, we thought it would be important to flag all of the code that doesn't meet federal standards.
Memory Safety is serious stuff today:
https://github.com/IncludeSecurity/Memory-Safety-Detector-Rulepack
The new
@OpenSecurityTraining2 website went up today.
We're happy to support great open/free security training to get more folks into our industry. If you want to learn low-level RE/hacks/OS check out OST2! https://ost2.fyi/Home.html
We're still seeing a lot of Ruby code out there in the tech world. If we see it we hack it! Latest blog post on advanced deserialization gadget chains for exploitation of Ruby applications is up.
https://blog.includesecurity.com/2024/03/discovering-deserialization-gadget-chains-in-rubyland/
Oh Hi Mastodon world. We're IncludeSec.
https://www.IncludeSecurity.com
We like to talk about hacking stuff.