Pre-loader
Select language
Français Français

Vulnerability Research

Reverse engineering, fuzzing & 0-day discovery for wireless and embedded systems

Before Attackers Find Them

We hunt vulnerabilities that scanners can't see

Our researchers go deeper than standard pentests — hunting for unknown vulnerabilities in your products before they ship. We reverse engineer firmware, dissect proprietary protocols, and fuzz attack surfaces to go as deep as possible.

Using protocol fuzzing, firmware emulation, and manual binary analysis, we uncover 0-days.

Discuss a research engagement Our publications
Our research track record
  • 69+ publications  and CVEs discovered
  • Presented at  major security conferences
  • Vulnerabilities in  telecom, automotive & IoT
  • Coordinated disclosure  with vendors
  • Open-source tools used by the  community
What we do

Research Services

Understanding the unknown

Reverse Engineering

We reverse engineer firmware, binaries, protocol stacks, and silicon to understand how systems work — and where they break. Our team handles ARM, MIPS, RISC-V, and x86 architectures, obfuscated code, proprietary protocols, and hardware with no available documentation. When there's no source code, we build understanding from scratch.

Capabilities
  • Firmware RE: bare-metal, RTOS, Linux-based
  • Protocol RE: proprietary wireless protocol dissection
  • Baseband RE: cellular modem firmware analysis
  • Binary analysis: multi-architecture, obfuscated
  • Crypto analysis: custom encryption schemes
Automated vulnerability discovery

Protocol & Baseband Fuzzing

We build and deploy custom fuzzers targeting wireless protocol stacks, baseband implementations, and embedded parsers. Our fuzzing campaigns cover both over-the-air interfaces (using real SDR equipment) and software-level attack surfaces (using emulation and instrumentation). This is how we find the bugs that matter: memory corruption, authentication bypasses, and denial-of-service conditions in production hardware.

Fuzzing targets
  • Baseband modems: 2G/3G/4G/5G NAS, RRC, AS, or even more exotic ones
  • Protocol stacks: LoRaWAN, BLE, Zigbee, Z-Wave
  • OTA interfaces: SDR-based live fuzzing
  • Firmware parsers: file formats, configuration, OTA updates
  • Automotive: CAN, UDS, V2X message parsing
Safe & scalable analysis

Firmware Emulation & Instrumentation

When direct hardware access is limited or when we need to scale analysis, we emulate target firmware in controlled environments. This allows us to instrument code execution, trace memory operations, and run automated analysis at a speed and depth impossible on physical hardware alone.

Techniques
  • Full system emulation: QEMU, Unicorn, custom setups
  • Dynamic instrumentation: Frida, DynamoRIO, and others
  • Coverage-guided fuzzing: AFL++, libFuzzer, custom harnesses
  • Taint analysis: data flow tracking through firmware
  • Peripheral emulation: hardware-in-the-loop simulation
Tools & Frameworks

Ghidra, Binary Ninja, Frida, QEMU, Unicorn, AFL++, libFuzzer, Scapy, RF Swift, GNU Radio, Wireshark, custom fuzzers, and proprietary instrumentation built from our R&D.

Need to find vulnerabilities before your adversaries do?

Tell us about your product — we'll design a targeted research engagement to uncover the bugs that matter most.

Contact us All services