Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

New Release: Exposure management for the AI-attack era

runZero 5.0 streamlines the entire exposure management lifecycle: from discovery to risk prioritization to verified remediation. 

When you're up against AI, every minute counts. Get deep, actionable intelligence across your entire attack surface to close the gaps and hold the line.

Join HD Moore on July 29: Securing the modern IT/OT attack surface

Discover how to effectively bridge the visibility gap and secure your modern IT/OT infrastructure.

HD Moore and Chris Ray will share actionable methods for hardening your OT defenses and the main takeaways from the 2026 GigaOm Radar for OT Security.

AI-pocalypse now? Why the 2026 DBIR is actually good news

Join us live on July 15th for runZero Hour! Tod, Brianna, and special guest Alex Pinto (AD, Threat Intelligence at Verizon) will break down 2026 DBIR vulnerability trends.

Plus learn how AI is shifting the threat landscape, and how the new runZero 5.0 release outpaces automated adversaries.

Tools built by the Research team

Practical tools to help you find, visualize, and prioritize the exposures that put your network at risk.

Research Reports

In-depth analysis and data-driven insights to help you prioritize risk and strengthen your exposure management program.

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
Seven FatFs bugs, one very large blast radius
One small component, massive blast radius. Explore seven new FatFs vulnerabilities discovered via AI that impact RTOS platforms, IoT devices, and...
runZero Research
Understanding Squidbleed, CVE-2026-47729
Squidbleed (CVE-2026-47729) is making headlines, but actual risk is low. Read our breakdown of this Squid proxy bug and how to check your inventory.
runZero Research
How to use the KEV collider: A quick tour
Layer signals and test filters to see risk indicators interact across the KEV catalog in real time. No install. No creds. Just open & start...
Product
Announcing runZero 4.9: Unmask attack paths and segmentation gaps with advanced topology and deep OT device intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
runZero Research
Making the CISA KEV actionable for real-world risk
If you want to understand what the KEV is actually telling you, read our new KEVology report, then take the analysis into the lab with the KEV...
runZero Research
Webcast recap: see + secure everything in your OT environment
A recap of last week’s webcast, where the runZero research team dug into the hard-earned lessons of managing sensitive OT environments.
runZero Research
The runZero CNA is the newest CVE Numbering Authority!
runZero is now officially a CVE Numbering Authority!
runZero Research
Winpocalypse: One month later, the zombies are multiplying
We’re just over a month out from the Winpocalypse, where all Windows 10 operating systems technically went end-of-life. Let's talk about it.
runZero Research
runZero Hour recap: Beyond the veil with end-of-life OSes
In this episode, we talk about everything from current programming languages to mysterious firmware to, of course, the natural process of degrading...
runZero Research
Windows 10 EOL: A Winpocalypse just like Y2K
The end of Windows 10 is here, and with it comes a surge of exploitable systems. Move fast and find your exposures before attackers do with runZero.
runZero Research
From legacy to liability: New research report on end-of-life assets
End-of-life (EOL) operating systems don’t just fade away. They linger in enterprise networks like the undead — unchanging, unpatched, and...

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour, Ep. 31: The New Rules of Risk: EPSS v5 and Agentic Adversaries
In this episode, learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic...
Webcasts
runZero Hour, Ep. 30: Segmentation - stop assuming & start verifying with runZero 4.9
See runZero 4.9 in action! Join HD Moore and Tod Beardsley to learn how interactive attack path mapping and advanced OT intelligence expose hidden...
Webcasts
runZero Hour, Ep. 29: Live, Laugh, Malware: LLMs in Cybersecurity
Join Tod Beardsley and Rob King as they welcome guest Caroline Wong, author of The AI Cybersecurity Handbook.
Webcasts
runZero Hour, Ep. 28: Deep dive into OT retroencabulation
Tod Beardsley and Rob King were joined by special guest Ulises Fuentes Venado, Senior OT Pre-Sales Engineer at GuidePoint Security, for a thorough...
Webcasts
runZero Hour, Ep. 27: KEVology 101 – observing exploit trajectories in the KEV Collider
In this episode or runZero Hour, Tod Beardsley, Rob King, and special guest Wade Sparks (CISA and VulnCheck KEV veteran) explore the science of...
Webcasts
runZero Hour, Ep. 26: Exploring offseason resorts and OT networks with Brianna Cluck
In the first 2026 episode of runZero Hour, Rob King and Tod Beardsley chat it up with fan-favorite OT expert Brianna Cluck from GreyNoise...
Webcasts
runZero Hour, Ep. 25: The Holiday Hackstravaganza!
Tod Beardsley, Rob King, (and special guests!) look back at 2025’s wildest vulnerabilities, standout research, and make bold predictions for 2026.
Webcasts
runZero Hour, Ep. 24: Attack graphs with runZero and BloodHound!
In this episode, runZero's Tod Beardsley, Rob King, HD Moore and Jared Atkinson, CTO of SpecterOps, dive into the tangled world of modern attack...
Webcasts
runZero Hour, Ep. 23: Beyond the veil with end-of-life OSes
In this episode of runZero Hour Rob King, Tod Beardsley, and captn3m0 (creator of endoflife.date) summon insights from runZero’s latest research...
Webcasts
runZero Hour, Ep. 22: Poking the bear (safely) - our expanded vuln checks
We just added hundreds of new critical remote vulnerability checks to runZero that run safely across all your environments and are way faster than...
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Webcasts
runZero Hour, Ep. 20: Reshaping security with open source: Insights from ProjectDiscovery & runZero
On this episode, we celebrate open source collaboration with the minds behind ProjectDiscovery: Rishiraj Sharma and Sandeep Singh, the co-founders...

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find BeyondTrust appliances on your network
BeyondTrust has disclosed multiple pre-authentication authorization vulnerabilities affecting certain versions of both RS and PRA.
Rapid Response
How to find Adobe ColdFusion installations on your network
Adobe disclosed multiple vulnerabilities in their ColdFusion rapid application development product. Here's how to find affected assets with runZero.
Rapid Response
How to find Citrix NetScaler ADC & Gateway instances on your network
Citrix has published a security bulletin, documenting multiple vulnerabilities that impact customer-managed installs of NetScaler ADC & NetScaler...
Rapid Response
How to find Microsoft SQL Server installations on your network
Microsoft has disclosed three vulnerabilities in certain versions of Microsoft SQL Server. Here's how to find affected assets on your network.
Rapid Response
How to find Splunk Enterprise on your network
Certain versions of the Splunk Enterprise solution utilize the PostgreSQL Sidecar Service that contains an unauthenticated file upload vulnerability.
Rapid Response
How to find Oracle PeopleSoft on your network
Oracle disclosed that certain versions of PeopleSoft are susceptible to exploitation. Here's how to find impacted assets.
Rapid Response
How to find Ivanti Sentry on your network
Ivanti disclosed that certain versions of Sentry are susceptible to two vulnerabilities. Here's how to find impacted assets.
Rapid Response
How to find Veeam software on your network
Certain versions of Veeam Backup & Replication contain a vulnerability that allows an authenticated domain user to achieve RCE on the Backup Server.
Rapid Response
How to find LiteLLM instances on your network
LiteLLM has disclosed that certain versions of LiteLLM Proxy are susceptible to multiple vulnerabilities that can be chained together to achieve RCE.
Rapid Response
How to find Check Point devices
Critical Check Point VPN vulnerability allows unauthenticated attackers to bypass IKEv1 authentication. Here's how to find affected assets.
Rapid Response
How to find Palo Alto Networks devices running PAN-OS
PAN has disclosed that certain versions of PAN-OS are affected by an authentication bypass vulnerability in the GlobalProtect portal and gateway.
Rapid Response
How to find Gogs installations on your network
Certain versions of Gogs are affected by an argument injection vulnerability within the pull request "Rebase before merging" style merge handling.

Revisit Hacker Summer Camp!

Relive the highlights of our epic week at Hacker Summer Camp 2025 with talks and interviews across BSides, Black Hat, and DEF CON.

Talks
DEF CON 33 - Shaking out shells with SSHamble (HD Moore)
This session is an extension of our 2024 work and includes new research as well as big updates to our open source research and assessment tool,...
Talks
DEF CON 33 - There and back again: detecting OT devices across protocol gateways (Rob King)
Presented by Rob King at DEF CON 33, this talk discusses techniques for detecting devices on the "other side" of protocol gateways.
Podcasts
The often-overlooked truth in cybersecurity: seeing the unseen in vulnerability management
Sean Martin (ITSPmagazine) speaks with HD Moore about an overlooked truth in cybersecurity: the greatest risks are usually the things you don’t...
Podcasts
You can’t get there from here: why we need a new way to manage exposure
At Black Hat 2025, CyberRisk TV sits down with HD Moore for a no-BS conversation on why vulnerability management is still failing enterprises.
Talks
Charting the SSH multiverse with HD Moore (BSidesSF 2025)
Watch runZero founder HD Moore, explore the multitude of SSH implementations, their specific weaknesses, and real-world exposures.
Talks
Forging strong cyber communities in uncertain times
HD Moore and Nicole Schwartz explore what it takes to create and foster robust cybersecurity communities and why we should all get involved in...
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO, runZero

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

VP, Security Research, runZero

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infra...

More from todb

Matthew Kienow

Vulnerability Researcher

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deploye...

More from Matthew Kienow

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.