Research & Development

WE BUILD THE
TOOLS AND
TECHNIQUES THAT FIND
TOMORROW'S
VULNERABILITIES.
Security research that stays in the lab doesn’t make anyone safer. Our R&D teams work on problems that matter to government agencies, critical infrastructure, and the security community. We publish what we learn, including methods and tools, making it easier to secure the future.
Start a project

What We Do

01

Most security research lives in one of two worlds: academic work that's rigorous but disconnected from production systems, or vendor research that's marketing with footnotes. We operate in the gap between them. Our research programs tackle hard problems in program analysis, binary translation, symbolic execution, and AI security, and we build working systems that get tested against real-world constraints.

02

That's not aspirational language. Our Buttercup cyber reasoning system placed second at DARPA's AI Cyber Challenge, winning $3M and proving that automated vulnerability discovery can work at scale. Our EBOSS program builds enhanced software bills of materials that actually help maintainers triage and remediate vulnerabilities in C and C++ codebases.

03

We're reverse engineering medical device firmware for ARPA-H, finding vulnerabilities in infusion pumps and wearable devices before attackers do. And we're designing the evaluation scenarios that measure whether AI models can actually do security work, or just talk about it.

04

What makes this different from typical R&D shops: we don't treat research as separate from practice. The techniques we develop feed directly into our client engagements, our open-source tools, and the broader security community. When we publish at USENIX or ISSTA, it's because we solved a problem worth solving, not because we needed another line on a CV.

RELATED SERVICES

AI/ML Security

Security for systems that learn. We assess model architectures, training pipelines, and deployment infrastructure using the same research-driven approach that earned us second place in DARPA’s AI Cyber Challenge.

Application Security

Deep-dive assessments that go beyond checklists. We analyze your code, architecture, and development practices to find vulnerabilities others miss to help you fix them for good.

Blockchain Security

Pioneering blockchain security since 2017. We build the tools auditors rely on (Slither, Echidna, Medusa) and use them to secure protocols across Ethereum, Solana, and emerging chains.

Cryptography

Where math meets engineering. Our team combines academic rigor with real-world implementation expertise to secure protocols from design through deployment.

Security Engineering

Most security tools assume your problem looks like everyone else’s. When it doesn’t, you need custom tooling, hardened infrastructure, and fixes that actually stick.
LEARN MORE

OUR METHODOLOGY

We take on problems where the existing tools aren't good enough. That usually means building new ones.

Start with a real constraint, not an abstract question.
Our best work comes from programs where failure has consequences: DARPA evaluations with deadlines, medical devices with patient safety implications, AI systems that need to be evaluated before deployment. Theoretical elegance matters less than whether the thing actually works.
Build systems, not demos.
A proof-of-concept that works on three hand-picked examples isn’t research; it’s a screenshot. We build tools that handle the ugly cases: the codebases that don’t compile cleanly, the binaries that were never meant to be analyzed, the edge cases that break naive approaches.
Measure against something that matters.
Automated vulnerability discovery is only useful if it finds vulnerabilities humans would miss, faster than humans could find them. SBOM tooling only matters if it changes how maintainers actually respond to CVEs. We define success criteria early and hold ourselves to them.
Ship the work.
Research that sits in a private repo doesn’t help anyone. We open-source our tools, publish our findings, and integrate what we learn into production systems. If it’s not deployable, it’s not done.

OUR APPROACH

We’re not a research lab that occasionally consults, and we’re not a consulting firm with a research blog. Our R&D programs are staffed by the same engineers who do client work, which means research insights get applied immediately, and client problems inform what we study next. The feedback loop is tight and continuous.
LEARN MORE

Award-winning tools

Buttercup

FEATURED

Second-place winner of DARPA’s AI Cyber Challenge (AIxCC), Buttercup is an AI Cyber Reasoning System (CRS) used to discover and patch vulnerabilities in open-source software.
LEARN MORE
EXPLORE ALL OUR TOOLS

see how we can help you

Tell us about your hardest security problems

Contact us to build more secure software.

For secure communications, please use SendSafely or PGP.

Mailing Address

228 Park Ave S #80688

New York, NY 10003

What services are you interested in?