Introducing Hacktron Review: an AI security reviewer for your pull requests. It understands your whole codebase, builds a threat model, takes your feedback, and catches exploitable vulnerabilities before they reach production. Try for free: app.hacktron.ai

RCE in Warp Terminal! I believe the attack surface is broadening with every new tool you use. Every OAuth app you authorise with elevated scopes.. we'd see more breaches via targeting tools/SaaS.. the attack surface is everyone and everything now - hacktron.ai/blog/the-attack-…

warp also supports this escape sequence, but unlike iTerm, its inline=0 path handling lets attacker-controlled terminal output write attacker-controlled content into attacker-controlled locations. so @HacktronAI found this arb file write. source: github.com/warpdotdev/warp/b…

👀 hacktron.ai/open-source/

So @Doyensec recently published a report comparing @xbow and @AikidoSecurity, two AI pentest platforms. I figured, why not run @HacktronAI on the same test? So I ran a pentest on one of the target. Hacktron cost $350, while XBOW and Aikido cost $4,000 each. We did pretty well!

Nice overview of the vulnerability discovery landscape! Very proud of the work we've done at @HacktronAI, as well as that of our peers at Anthropic and AISLE. AI has sped up vulnerability discovery, but coverage and signal remain to be important metrics we optimize for.

Who's finding what? @AnthropicAI owns critical count. @HacktronAI leads on severity exploitability. AISLE covers the most CWE types. There’s no clear overall winner.

Hacktron Review plugs into your pull requests and catches exploitable vulnerabilities other scanners walk straight past. Find real security issues within 24 hours of onboarding. Try it free → hacktron.ai

When Your VPN Opens Your Private Network to the Public! An auth bypass in Palo Alto PAN-OS CAS Auth (CVE-2026-0265) that lets an attacker connect to the company's GlobalProtect VPN. Blog - hacktron.ai/blog/cve-2026-02…

what can go wrong?

Check out our security work on Next.js. We’re also offering free security scans for open source projects. Apply here: hacktron.ai/blog/hacktron-re…

I've seen enough fundraising announcement videos. This isn’t one of them. At @HacktronAI, we do security, and we do it well. That’s what matters to us. We solve real problems for our customers. On average, they uncover real vulnerabilities missed by other tools within 24 hours of onboarding. Just this year, we've already responsibly disclosed vulnerabilities in Vercel's Next.js, Grafana, Jetbrain's YouTrack, OpenAM, Metabase, and BeyondTrust's Remote Support Software. No unearned, bullshit hype. Just security that works.

RCE in Github VSCode Copilot Chat hacktron.ai/blog/rce-in-vsco…

Hacktron ❤️ Open Source TL;DR: If you maintain an open source project, we want to give you Hacktron Review for free. Because giving maintainers the same capabilities as attackers would otherwise use against them felt like the right thing to do. hacktron.ai/blog/hacktron-re…

Next.js v16.2.5 fixes a bunch of vulnerabilities reported by @HacktronAI. Patch ASAP, especially if you’re running self-hosted Next.js that SSRF might affect you CVE-2026-44574: Middleware / Proxy bypass via dynamic route parameter injection CVE-2026-44578: SSRF in applications using WebSocket upgrades CVE-2026-44581: XSS in App Router applications using CSP nonces

when react2shell hit last year, i think vercel handled it brilliantly. to protect their users, they paid $50,000 for every bypass researchers could find. we decided to participate, and ended up earning $170,000. read how we did it here: hacktron.ai/blog/react2shell…