Security Research

Runs Semgrep static analysis with parallel subagents — full ruleset and high-confidence security scan modes with Semgrep Pro cross-file taint analysis.

Scans codebases for security vulnerabilities using CodeQL interprocedural data flow and taint tracking — supports full and important-only scan modes.

Coverage-guided Python fuzzer based on libFuzzer — fuzzing pure Python code and Python C extensions.

De facto fuzzing tool for Rust projects using Cargo with libFuzzer backend.

AFL++ fuzzer with advanced features — multi-core fuzzing of C/C++ projects with better performance than original AFL.

Techniques for writing effective fuzzing harnesses across languages — creating new fuzz targets and improving existing harness code.

Expertise for analyzing DWARF debug files and understanding the DWARF debug format/standard (v3-v5).

Searches and explores Burp Suite project files (.burp) from the command line — searches response bodies with regex, extracts audit findings.

Scans Android APKs for Firebase security misconfigurations — open databases, storage buckets, authentication issues, and exposed cloud functions.

Audits GitHub Actions workflows for security vulnerabilities in AI agent integrations — detects prompt injection via env var patterns and dangerous sandbox configs.

Detects missing zeroization of sensitive data in source code and zeroization removed by compiler optimizations — assembly-level analysis.

Guides authoring of high-quality YARA-X detection rules for malware identification — naming conventions, string selection, performance, and false positive reduction.

Identifies dependencies at heightened risk of exploitation or takeover — assesses supply chain attack surface and dependency health.

Guidance for property-based testing across multiple languages and smart contracts — stronger coverage than example-based tests.

Creates language variants of existing Semgrep rules — ports rules to target languages with independent test directories.

Creates custom Semgrep rules for detecting security vulnerabilities, bug patterns, and code patterns.

Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes — evaluates "secure by default" principles.

Detects fail-open insecure defaults — hardcoded secrets, weak authentication, and permissive security configurations that allow apps to run insecurely in production.

Detects timing side-channel vulnerabilities in cryptographic code across C, C++, Go, Rust, Swift, Java, Kotlin, C#, PHP, JS, TS, Python, and Ruby.

Find similar vulnerabilities across codebases using pattern-based analysis — hunt bug variants, build CodeQL/Semgrep queries, and perform systematic code audits.

Security-focused differential review of code changes (PRs, commits, diffs) — calculates blast radius and generates markdown reports.

Enables ultra-granular, line-by-line code analysis to build deep architectural context before vulnerability or bug finding.

Analyzes smart contract codebases to identify state-changing entry points for security auditing — categorizes by access level and generates structured audit reports.