Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

SSHamble: Exploit SSH protocol vulnerabilities

The runZero research team discovered a range of weaknesses across SSH applications that impact critical network security devices and software. These long standing issues remained undiscovered due to the lack of tooling available – until now!

Divining Risk: Deciphering Signals From Vulnerability Scores

Vulnerability scores promise clarity, but too often just add to the noise.

We analyzed signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t.

Subscribe to our monthly runZero Hour series

Jump down the security rabbit hole with us every month as our research team unpacks risky exposures, attack surface anomalies, and the most random vulnerabilities lurking in your IT, OT, IoT, remote, cloud, and mobile environments.

runZero Research on the Road

NSEC Keynote
"A Pirate's Guide to Snake Oil & Security"

Welcome aboard the CVSS Bonsecours!

runZero Founder & CEO HD Moore's first stop is the island of Vulnerability Management; a wild place first settled by hackers, now congested with warring tribes, each selling magick ointments that they claim will protect your ship from ghosts, whirlpools, termites, and giant squids alike.

We'll visit these tribes, compare their warez, identify the useful products, and highlight those that just leave you greasy and poor.

Register Now
NSEC Talk
"Vulnerability Haruspicy: Using Woo to Confirm Your Biases"

VP of Security Research Tod Beardsley will dig into the strengths, weaknesses, and absurdities of CVSS, EPSS, and SSVC, comparing them to the reality of how security teams actually handle vulnerabilities.

Tod will explore where these models help, where they mislead, and whether any of them are meaningfully better than rolling a D20 saving throw vs exploitation.

Expect debate, disagreements, and plenty of astrology jokes.

Register Now
runZero Hour
Unpacking vulnerability scoring systems with EPSS expert Jay Jacobs

Tune in for the next runZero Hour on May 21 as vulnerability scoring expert Jay Jacobs joins us for a spicy debate about what CVSS, EPSS, and SSVC really tell us — and what they don’t.

We’ll also share highlights from new research on scoring systems, common misconceptions, and how to prioritize risk with context, not just scores.

Trust us, you won't want to miss this one!

Register Now
Background Image

Talk

DEF CON 32: SSHamble: Unexpected Exposures in SSH

The Secure Shell (SSH) has evolved from a remote shell service to a standardized secure transport that is second only to Transport Layer Security (TLS) in terms of exposure and popularity. SSH is no longer just for POSIX operating systems; SSH services can be found in everything from network devices, to source code forges, to Windows-based file transfer tools. While OpenSSH is still the most prominent implementation, it's now just one of dozens, and these include a handful of libraries that drive a wide range of applications.

Watch HD Moore and Rob King talk on stage at DEF CON 32, dig deep into SSH, the lesser-known implementations, many of the surprising security issues found along the way, and how to exploit them.

Research Report: Volume 1

Uncovering Alarming Gaps & Unexpected Exposures

The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Webcasts
runZero Hour Ep. 17: The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join Tod Beardsley and Rob King for a deep dive into the future of exposure management.
Webcasts
runZero Hour, Ep. 16: Handling EOL’d operating systems, runZero Starlink integration, and more!
Former CISA Section Chief and now VP of Security Research at runZero Tod Beardsley shares insights on handling end-of-life operating systems like...
Webcasts
runZero Hour, Ep. 15: Network topology, detailed fingerprinting and MODBUS love
On this episode of runZero Hour, Rob King and Tom Sellers welcome Brianna Cluck, researcher extraordinaire from GreyNoise Intelligence, covering a...
Webcasts
runZero Hour, Ep. 14: Introducing Inside-Out Attack Surface Management
New inside-out attack surface management capabilities, tips for discovering elusive TLS and SSH stacks, a deep dive on the iSCSI protocol, and new...
Webcasts
runZero Hour, Ep. 13: Anniversary episode reflecting on 2024 through the lens of IT-OT/IoT convergence
In this special anniversary episode we gathered an all-star panel of cybersecurity experts to look back on 2024 through the lens of IT-OT/IoT...
Webcasts
runZero Hour, Ep. 12: A deep-dive into OT devices, protocols, and vulnerabilities
In this month’s episode of runZero Hour, we take a deep dive into new research insights on OT devices, protocols, and vulnerabilities.
Webcasts
runZero Hour, Ep. 11: A CISA insider's perspective on managing the KEV catalog
Tod Beardsley, CISA cybersecurity expert offers an insider’s look into CISA’s mission and management of the Known Exploited Vulnerabilities (KEV)...
Webcasts
runZero Hour, Ep. 10: RDP security, ATG & PC-WORX OT protocols
We dug into the details of three different protocols, and explored how our exceptionally creative customers help drive innovation in our platform.
Webcasts
runZero Hour, Ep. 9: (SSHamble Edition)
Didn't make it to DEF CON 32? We got you! This episode of runZero Hour explores all things SSH, including our new open-source tool: SSHamble.
Webcasts
runZero Hour, Ep. 8: Kaspersky Ban, Energy Sector & regreSSHion
The latest insights (and opinions!) on the impending US ban of Kaspersky products, the FBI's warning for threats against the renewable energy...
Webcasts
runZero Hour, Ep. 7: Fascinating Payloads & New Revelations in Threat Intelligence
Tune in for our monthly deep dive on the state of asset security. In Episode 7, we welcome a special guest, Brianna Cluck, from GreyNoise.
Webcasts
runZero Hour, Ep. 6: The Research Report Deep Dive
Join the runZero Research team as they discuss highlights of their new research and share insights derived from analysis of nearly four million...

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

runZero Research
CVSS, EPSS, and SSVC: How to Read Between the Vulnerability Scores
Learn about strengths and limitations of each scoring systems – and how to best leverage them inform your triage strategy.
runZero Research
Labelling for End-of-Life Consumer IoT
IOT labelling is back on the menu, but how to actually do it is still tricky.
runZero Research
RDP security: The impact of secure defaults and legacy protocols
Explore the evolution of the Remote Desktop Protocol to become secure by default and learn how to audit your environment for risky RDP configurations.
runZero Research
Proven fingerprinting techniques for effective attack surface management
Precise asset identification is critical for effective cyber asset attack surface management. See how runZero’s techniques are unmatched.
runZero Research
How to detect SSH key reuse
Unmanaged SSH keys leaves networks vulnerable to cyber attacks. Learn how Zero helps with auditing SSH keys to reduce unnecessary exposures on your...
runZero Research
End-of-life assets: managing risks in outdated technology
Outdated assets create a more accessible entry point for attackers to exploit your attack surface. Learn how the runZero Platform effectively...
runZero Research
Cyber asset management in the era of segmentation decay
Network segmentation faces limitations with modern equipment. See how a CAASM approach can improve asset discovery and threat protection.
runZero Research
How runZero speaks to the TwinCAT 3 Automation Device Specification (ADS) protocol
In industrial automation, TwinCAT 3’s Automation Device Specification (ADS) protocol ensures seamless communication between components and systems....
runZero Research
Unusual Assets: The riskiest factor in attack surface management
runZero’s research finds outlier assets, even if just slightly unusual, are often significantly riskier than others. The outlier score gives...
runZero Research
Active Asset Discovery in OT networks: runZero and the NREL/CECA Report
The Cohort 2 report describes how runZero safely discovers devices in a large, complex OT/ICS environment. Learn more about runZero's discovery...
runZero Research
AI in CAASM: The Risks of LLM data in security-critical workflows
Current generation AI tools provide appealing answers but struggle with a crucial challenge: knowing the truth, which poses great security risks.
runZero Research
SSHamble: Unexpected exposures in the Secure Shell
We conducted a deep dive into the SSH ecosystem and identified vulnerabilities across a wide range of implementations. During the research process,...

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Rapid Response
How to find DrayTek Vigor routers
A previously disclosed vulnerability (CVE-2024-12987), has recently been confirmed to be under active exploitation in the wild.
Rapid Response
How to find Samsung MagicINFO Server installations on your network
Samsung has issued a security advisory for its MagicINFO Server product. This vulnerability (CVE-2025-4632) is being actively exploited in the wild.
Rapid Response
How to find Ivanti EPMM (MobileIron Core)
Ivanti has disclosed multiple vulnerabilities in its Endpoint Manager Mobile (EPMM) product. Here's how to find affected assets with runZero.
Rapid Response
How to find Fortinet assets on your network
Fortinet issued an advisory for a critical vulnerability affecting multiple products that is actively being exploited in the wild.
Rapid Response
How to find Ivanti Neurons for ITSM installations on your network
Ivanti has issued an advisory disclosing a vulnerability in its Ivanti Neurons for ITSM product, in its on-premises version. Here's how to find...
Rapid Response
How to find Ubiquiti devices on your network
Ubiquiti has disclosed a vulnerability in its UniFi Protect IP cameras. Here's how to find potentially vulnerable assets with runZero.
Rapid Response
How to find SAP NetWeaver instances on your network
SAP Issued a security advisory for several of their products including NetWeaver. Here's how to find instances running on your network.
Rapid Response
How to find SysAid Help Desk instances
On May 7th, Watchtowr disclosed multiple vulnerabilities in the SysAid Help Desk on-premises service management platform.
Rapid Response
How to find SonicWall devices on your network
SonicWall disclosed a vulnerability in their SMA100 appliances that could lead to unauthorized RCE. runZero can help you find vulnerable devices.
Rapid Response
How to find Cisco IOS & IOS-XE devices
Cisco Systems has disclosed 14 vulnerabilities in their devices which run Cisco IOS & IOS XE software. Here's how to find potentially vulnerable...
Rapid Response
How to find Langflow installations on your network
A vulnerability has been discovered in Langflow, a popular framework for building AI workflows. Here's how to locate potentially vulnerable installs.
Rapid Response
How to find Apple AirPlay devices on your network
Several AirPlay vulnerabilities were resolved in Apple's latest OS updates. Here's how to find potentially vulnerable devices on your network.
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

HD Moore

Founder & CEO

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore

Rob King

Director of Security Research

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped...

More from Rob King

Tom Sellers

Principal Research Engineer

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers

todb

Vice President of Security Research

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infra...

More from todb

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Discover the new era of exposure management!