🗓️ Join us & Jay Jacobs (EPSS Lead Data Scientist) for a very special runZero Hour. Register Now!

Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

SSHamble: Exploit SSH protocol vulnerabilities

The runZero research team discovered a range of weaknesses across SSH applications that impact critical network security devices and software. These long standing issues remained undiscovered due to the lack of tooling available – until now!

More about SSHamble

Read our latest research report: The State of Asset Security

The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.

Download the Report

Subscribe to our monthly runZero Hour series

Jump down the security rabbit hole with us every month as our research team unpacks risky exposures, attack surface anomalies, and the most random vulnerabilities lurking in your IT, OT, IoT, remote, cloud, and mobile environments.

Register Now

runZero Research on the Road

Check out our upcoming speaking gigs

Saturday April 26, 2025
Charting the SSH Multiverse
Join runZero Founder and CEO HD Moore at BSides SF as he charts the SSH multiverse!

SSH—second only to HTTP in internet-wide exposure—has had a rocky year, and this talk dives into its many implementations, weaknesses, and real-world exposures. Grab your ticket now for this SSH deep dive!
Register Now
Sunday April 27, 2025
Discovering OT devices across protocol gateways
Don’t miss Rob King, Director of Security Research, at BSides SF as he explores the security implications of IT and OT convergence.

Rob's talk will cover OT protocols, device discovery, and navigating security challenges—even behind legacy protocol gateways.
Register Now
On Demand
New Webcast with Omdia

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps. 

They also explore how exposure management offers a fundamentally different approach that’s better suited for today’s evolving threat landscape.

Watch Now
Background Image

Talk

DEF CON 32: SSHamble: Unexpected Exposures in SSH

The Secure Shell (SSH) has evolved from a remote shell service to a standardized secure transport that is second only to Transport Layer Security (TLS) in terms of exposure and popularity. SSH is no longer just for POSIX operating systems; SSH services can be found in everything from network devices, to source code forges, to Windows-based file transfer tools. While OpenSSH is still the most prominent implementation, it's now just one of dozens, and these include a handful of libraries that drive a wide range of applications.

Watch HD Moore and Rob King talk on stage at DEF CON 32, dig deep into SSH, the lesser-known implementations, many of the surprising security issues found along the way, and how to exploit them.

Watch Now

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour Ep. 17: The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join Tod Beardsley and Rob King for a deep dive into the future of exposure management.
Watch Now
Webcasts
runZero Hour, Ep. 16: Handling EOL’d operating systems, runZero Starlink integration, and more!
Former CISA Section Chief and now VP of Security Research at runZero Tod Beardsley shares insights on handling end-of-life operating systems like...
Watch Now
Webcasts
runZero Hour, Ep. 15: Network topology, detailed fingerprinting and MODBUS love
On this episode of runZero Hour, Rob King and Tom Sellers welcome Brianna Cluck, researcher extraordinaire from GreyNoise Intelligence, covering a...
Watch Now
Webcasts
runZero Hour, Ep. 14: Introducing Inside-Out Attack Surface Management
New inside-out attack surface management capabilities, tips for discovering elusive TLS and SSH stacks, a deep dive on the iSCSI protocol, and new...
Watch Now
Webcasts
runZero Hour, Ep. 13: Anniversary episode reflecting on 2024 through the lens of IT-OT/IoT convergence
In this special anniversary episode we gathered an all-star panel of cybersecurity experts to look back on 2024 through the lens of IT-OT/IoT...
Watch Now
Webcasts
runZero Hour, Ep. 12: A deep-dive into OT devices, protocols, and vulnerabilities
In this month’s episode of runZero Hour, we take a deep dive into new research insights on OT devices, protocols, and vulnerabilities.
Watch Now
Webcasts
runZero Hour, Ep. 11: A CISA insider's perspective on managing the KEV catalog
Tod Beardsley, CISA cybersecurity expert offers an insider’s look into CISA’s mission and management of the Known Exploited Vulnerabilities (KEV)...
Watch Now
Webcasts
runZero Hour, Ep. 10: RDP security, ATG & PC-WORX OT protocols
We dug into the details of three different protocols, and explored how our exceptionally creative customers help drive innovation in our platform.
Watch Now
Webcasts
runZero Hour, Ep. 9: (SSHamble Edition)
Didn't make it to DEF CON 32? We got you! This episode of runZero Hour explores all things SSH, including our new open-source tool: SSHamble.
Watch Now
Webcasts
runZero Hour, Ep. 8: Kaspersky Ban, Energy Sector & regreSSHion
The latest insights (and opinions!) on the impending US ban of Kaspersky products, the FBI's warning for threats against the renewable energy...
Watch Now
Webcasts
runZero Hour, Ep. 7: Fascinating Payloads & New Revelations in Threat Intelligence
Tune in for our monthly deep dive on the state of asset security. In Episode 7, we welcome a special guest, Brianna Cluck, from GreyNoise.
Watch Now
Webcasts
runZero Hour, Ep. 6: The Research Report Deep Dive
Join the runZero Research team as they discuss highlights of their new research and share insights derived from analysis of nearly four million...
Watch Now

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
RDP security: The impact of secure defaults and legacy protocols
Explore the evolution of the Remote Desktop Protocol to become secure by default and learn how to audit your environment for risky RDP configurations.
Read More
runZero Research
Proven fingerprinting techniques for effective attack surface management
Precise asset identification is critical for effective cyber asset attack surface management. See how runZero’s techniques are unmatched.
Read More
runZero Research
How to detect SSH key reuse
Unmanaged SSH keys leaves networks vulnerable to cyber attacks. Learn how Zero helps with auditing SSH keys to reduce unnecessary exposures on your...
Read More
runZero Research
End-of-life assets: managing risks in outdated technology
Outdated assets create a more accessible entry point for attackers to exploit your attack surface. Learn how the runZero Platform effectively...
Read More
runZero Research
Cyber asset management in the era of segmentation decay
Network segmentation faces limitations with modern equipment. See how a CAASM approach can improve asset discovery and threat protection.
Read More
runZero Research
How runZero speaks to the TwinCAT 3 Automation Device Specification (ADS) protocol
In industrial automation, TwinCAT 3’s Automation Device Specification (ADS) protocol ensures seamless communication between components and systems....
Read More
runZero Research
Unusual Assets: The riskiest factor in attack surface management
runZero’s research finds outlier assets, even if just slightly unusual, are often significantly riskier than others. The outlier score gives...
Read More
runZero Research
Active Asset Discovery in OT networks: runZero and the NREL/CECA Report
The Cohort 2 report describes how runZero safely discovers devices in a large, complex OT/ICS environment. Learn more about runZero's discovery...
Read More
runZero Research
AI in CAASM: The Risks of LLM data in security-critical workflows
Current generation AI tools provide appealing answers but struggle with a crucial challenge: knowing the truth, which poses great security risks.
Read More
runZero Research
SSHamble: Unexpected exposures in the Secure Shell
We conducted a deep dive into the SSH ecosystem and identified vulnerabilities across a wide range of implementations. During the research process,...
Read More
runZero Research
Attack Surface Challenges with OT/ICS and Cloud Environments
Learn why successfully navigating changes to operational technology and cloud attack surfaces is critical for successful asset security.
Read More
runZero Research
Evolving threat landscapes: a view through the lens of CAASM
See what our analysis of sample CAASM data reveals about the current threat landscape and how security teams are responding to challenges old and new.
Read More

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find ASUS AiCloud routers on your network
ASUS has disclosed a 'highly critical' vulnerability in several of its router models using its "AiCloud" functionality. Here's how to find impacted...
Read More
Rapid Response
How to find Erlang/OTP SSH servers on your network
Some versions of the Erlang/OTP embedded SSH server contain a highly critical vulnerability (CVE-2025-32433) in their handling of SSH protocol...
Read More
Rapid Response
How to find Lantronix Xport devices on your network
On April 15, 2025, CISA published an advisory announcing that certain versions of the Lantronix Xport products are vulnerable to an authentication...
Read More
Rapid Response
How to find Gladinet CentreStack installations in your network
A vulnerability in Gladinet's CentreStack collaboration product could allow an attacker to execute arbitrary code on vulnerable systems. Here's how...
Read More
Rapid Response
How to find Adobe ColdFusion installations on your network
Adobe disclosed multiple vulnerabilities in their ColdFusion rapid application development product that could allow an attacker to execute...
Read More
Rapid Response
How to find Fortinet FortiSwitch assets on your network
Fortinet has issued an advisory for its Fortinet FortiSwitch product. This vuln has been assigned CVSS score of 9.3 (extremely critical).
Read More
Rapid Response
How to find Ivanti gateways on your network
On April 3rd, 2025, Ivanti disclosed a vulnerability in their Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. Here's how to...
Read More
Rapid Response
How to find Dell EMC devices on your network
Dell published a security advisory for Dell Unity, Unity VSA, and Unity XT products vulnerable to complete system take over. Here's how to find...
Read More
Rapid Response
How to find CrushFTP services
CrushFTP disclosed that a vulnerability in their file transfer product allows an unauthenticated remote attacker to bypass authentication on some...
Read More
Rapid Response
How to find Kubernetes Ingress-NGINX Controller installations on your network
On March 24th, Wiz and Kubernetes disclosed a pre-authentication remote code execution attack chain. Here's how to find Ingress-NGINX controller...
Read More
Rapid Response
How to find Next.js on your network
On March 22nd, Next.js disclosed an authentication bypass vulnerability. Here's how to find Next.js systems on your network.
Read More
Rapid Response
How to find AIX systems running NIMSH on your network
Certain versions of IBM AIX contain vulnerabilities in the Network Install Manager (NIM) subsystem. Here's how to find affected assets with runZero.
Read More
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Rob King

Director of Security Research

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped...

More from Rob King

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

Vice President of Security Research

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infra...

More from todb

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try it Free
© Copyright 2025 runZero, Inc. All Rights Reserved

Discover the new era of exposure management!

Read our Launch Blog