🏫 Live on Oct. 21: How North Carolina secures K–12 schools with runZero Register Now

Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

SSHamble: Exploit SSH protocol vulnerabilities

We've made fresh updates to SSHamble, our open-source research and assessment tool!

SSHamble uncovers a range of weaknesses in SSH applications that affect critical network security devices and software.

More about SSHamble

Undead by design: benchmarking end-of-life operating systems

The latest runZero report uncovers end-of-life operating systems still shambling through U.S. enterprises and millions of assets — revealing the risks that haunt our networks. See how your industry stacks up and what the numbers really mean for defenders.

Read the Report

Join us on October 21 for a lesson on exposure management at scale

In this live webcast, Samuel Carter, Systems Architect at the Friday Institute, and runZero’s VP of Security Research, Tod Beardsley, share how a statewide exposure management program protects 343 PSU's across North Carolina.

Register Now

October 15 • 1PM ET / 10AM PT

runZero Hour: Beyond the veil with end-of-life OSes

Join us for a scary episode of runZero Hour with Rob King, Tod Beardsley, and EOL expert and technology necromancer, captn3m0. 

They will explore runZero’s latest research paper, “Undead by Design: Benchmarking End-of-Life Operating Systems”, which digs deep in real customer networks to get a sense of just how prevalent running EOL OSes are – and it's spine-chilling!

Register for the Webcast

Report

Divining Risk: Deciphering Signals From Vulnerability Scores

Vulnerability scores promise clarity, but too often just add to the noise.

We analyzed signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t.

Read the Report

Tool

EPSS Pulse

EPSS Pulse monitors daily score changes so you can zero in on the vulnerabilities that truly matter.

Get the context you need to confidently prioritize what poses the greatest risk to your environment.

Try EPSS Pulse

Talk

BSidesSF: Charting the SSH Multiverse with HD Moore

The Secure Shell (SSH) is the most commonly exposed dedicated management protocol, second only to HTTP in terms of internet-wide exposure, and it’s had a rocky year. This presentation explores the multitude of SSH implementations, their specific weaknesses, and real-world exposures.

Watch Now

Keynote

NSEC: A Pirate's Guide to Snake Oil & Security

Watch as HD Moore takes you on a satirical voyage through the crowded world of vulnerability management. From clashing tribes to competing frameworks, HD examines how defenders can navigate vendor claims and hype to uncover what actually works.

Watch Now

On-Demand

Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps. They also explore how exposure management offers a fundamentally different approach that’s better suited for today’s evolving threat landscape.

Watch Now
Background Image

Research Report: Volume 1

Uncovering Alarming Gaps & Unexpected Exposures

The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.

Download the Report

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour, Ep. 22: Poking the bear (safely) - our expanded vuln checks
We just added hundreds of new critical remote vulnerability checks to runZero that run safely across all your environments and are way faster than...
Watch Now
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Watch Now
Webcasts
runZero Hour, Ep. 20: Reshaping security with open source: Insights from ProjectDiscovery & runZero
On this episode, we celebrate open source collaboration with the minds behind ProjectDiscovery: Rishiraj Sharma and Sandeep Singh, the co-founders...
Watch Now
Webcasts
runZero Hour, Ep. 19: Mission contextualize – LLMs, MCP, and the future of vulnerability intelligence
Jerry Gamblin joins us for a deep dive into today’s vulnerability landscape — from CVE trends and statistics to the launch of his new MCP (Model...
Watch Now
Webcasts
runZero Hour, Ep. 18: Unpacking vulnerability scoring systems with EPSS expert Jay Jacobs
Vulnerability scoring expert Jay Jacobs joins us for an insightful session exploring how scoring systems like CVSS, EPSS, and SSVC signal risk —...
Watch Now
Webcasts
runZero Hour, Ep. 17: The state of vuln management, our approach, and a deep dive into new risk findings
On this special edition of runZero Hour, join Tod Beardsley and Rob King for a deep dive into the future of exposure management.
Watch Now
Webcasts
runZero Hour, Ep. 16: Handling EOL’d operating systems, runZero Starlink integration, and more!
Former CISA Section Chief and now VP of Security Research at runZero Tod Beardsley shares insights on handling end-of-life operating systems like...
Watch Now
Webcasts
runZero Hour, Ep. 15: Network topology, detailed fingerprinting and MODBUS love
On this episode of runZero Hour, Rob King and Tom Sellers welcome Brianna Cluck, researcher extraordinaire from GreyNoise Intelligence, covering a...
Watch Now
Webcasts
runZero Hour, Ep. 14: Introducing Inside-Out Attack Surface Management
New inside-out attack surface management capabilities, tips for discovering elusive TLS and SSH stacks, a deep dive on the iSCSI protocol, and new...
Watch Now
Webcasts
runZero Hour, Ep. 13: Anniversary episode reflecting on 2024 through the lens of IT-OT/IoT convergence
In this special anniversary episode we gathered an all-star panel of cybersecurity experts to look back on 2024 through the lens of IT-OT/IoT...
Watch Now
Webcasts
runZero Hour, Ep. 12: A deep-dive into OT devices, protocols, and vulnerabilities
In this month’s episode of runZero Hour, we take a deep dive into new research insights on OT devices, protocols, and vulnerabilities.
Watch Now
Webcasts
runZero Hour, Ep. 11: A CISA insider's perspective on managing the KEV catalog
Tod Beardsley, CISA cybersecurity expert offers an insider’s look into CISA’s mission and management of the Known Exploited Vulnerabilities (KEV)...
Watch Now

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
From legacy to liability: New research report on end-of-life assets
End-of-life (EOL) operating systems don’t just fade away. They linger in enterprise networks like the undead — unchanging, unpatched, and...
Read More
runZero Research
Fast ≠ careless: cutting exposure time without breaking things
This month’s runZero Hour wasn’t just another CVE rundown. We went deeper to uncover what it means to move fast without breaking things.
Read More
runZero Research
Grappling with a post-CVE world
The writing is on the wall: an over-reliance on CVEs and agent-based approaches won’t keep you safe. So what else can you do to regain the upper hand?
Read More
runZero Research
Webcast recap: see + secure everything in your OT environment
A recap of last week’s webcast, where the runZero research team dug into the hard-earned lessons of managing sensitive OT environments.
Read More
runZero Research
runZero Hour, ep. 21 recap: highlights from Hacker Summer Camp
Our top insights, tools and stories from Hacker Summer Camp 2025.
Read More
runZero Research
Introducing EPSS Pulse: monitoring volatility in vulnerability risk
Learn about the origins of EPSS Pulse — the free tool that highlights recent 'fast movers' among EPSS-evaluated, CVE-identified vulnerabilities.
Read More
runZero Research
Reshaping security with open source: runZero's collaboration with ProjectDiscovery
ProjectDiscovery co-founders Rishi and Sandeep joined our research team to explore how open source is driving the next wave of security tooling.
Read More
runZero Research
Out-of-Band, Part 1: the new generation of IP KVMs and how to find them
We begin the series exploring security risks of OoB management devices like BMCs, serial console servers, and IP-enabled KVMs, and share how to...
Read More
runZero Research
CVSS, EPSS, and SSVC: How to Read Between the Vulnerability Scores
Learn about strengths and limitations of each scoring systems – and how to best leverage them inform your triage strategy.
Read More
runZero Research
CVE chaos, MCPs, and the fight for better vulnerability data: a recap of runZero Hour 19
On our latest episode of runZero Hour I sat down with Rob King and Jerry Gamblin, Principal Engineer at Cisco, to dig into the state of...
Read More
runZero Research
Labelling for End-of-Life Consumer IoT
IOT labelling is back on the menu, but how to actually do it is still tricky.
Read More

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find Valkey installations on your network
Certain versions of LF Projects' Valkey are affected by four vulnerabilities in its Lua scripting functionality, mirroring vulnerabilities in Redis.
Read More
Rapid Response
How to find Redis installations on your network
Redis has disclosed four vulnerabilities in certain versions of the database server's Lua scripting functionality. Here's how to find affected assets.
Read More
Rapid Response
How to find Smartbedded Meteobridge devices on your network
Smartbedded has disclosed a command injection vulnerability in the management web interface endpoint /public/template.cgi of its Meteobridge.
Read More
Rapid Response
How to find VMware Aria installations on your network
VMware has disclosed a local privilege escalation vulnerability in its VMware Aria Operations and VMware Tools. Here's how to find impacted assets.
Read More
Rapid Response
How to find Cisco firewalls on your network
Cisco has disclosed three vulnerabilities on certain versions of Cisco Secure Firewall ASA and Cisco Secure FTD software.
Read More
Rapid Response
How to find Cisco IOS & IOS-XE devices
Cisco has disclosed a vulnerability, CVE-2025-20352, in its IOS and IOS-XE software. Here's how to find affected assets with runZero.
Read More
Rapid Response
How to find SolarWinds Web Help Desk services on your network
SolarWinds has disclosed a deserialization of untrusted data vulnerability in the AjaxProxy component of its Web Help Desk (WHD).
Read More
Rapid Response
How to find Fortra GoAnywhere MFT installations
Fortra has disclosed a deserialization of untrusted data vulnerability in the license servlet of its GoAnywhere Managed File Transfer (MFT).
Read More
Rapid Response
How to find WatchGuard Firebox appliances on your network
WatchGuard has disclosed that certain versions of its Fireware OS are affected by an out-of-bounds write vulnerability in IKED. Find affected assets.
Read More
Rapid Response
How to find Daikin Security Gateway devices on your network
Daikin has disclosed a vulnerability in DELMIA Apriso that may allow a remote, unauthenticated adversary to perform remote code execution.
Read More
Rapid Response
How to find Dassault Systèmes DELMIA Apriso installations on your network
Dassault Systèmes (3DS) has disclosed a vulnerability in DELMIA Apriso that may allow a remote, unauthenticated adversary to perform remote code...
Read More
Rapid Response
How to find Adobe Commerce & Magento installations on your network
Adobe has disclosed an improper input validation vulnerability in the Commerce REST API, affecting certain versions of Adobe Commerce and Magento...
Read More
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Rob King

Director of Applied Research

Rob King is the Director of Applied Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped...

More from Rob King

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

Vice President of Security Research

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infr...

More from todb

Matthew Kienow

Vulnerability Researcher

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deploye...

More from Matthew Kienow

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try it Free
© Copyright 2025 runZero, Inc. All Rights Reserved