Design & Implementation of a
Exploit Development Program
Zero Days Discovered Monthly
First Of Its Kind
Annual Sustainment Costs
Total Time in Months to Design & Implement
The client requested assistance in taking their current Red Team Program to the next level. A quick assessment of their Red Team Program reveled many gaps in their People, Processes and Technologies. Recommendation was to bolt-on an Exploit Development Program to enhance their Red Team capabilities.
Context / Action
We Designed and Implemented an Exploit Development Program (People, Processes and Technologies) to provide Red Teams with advanced and tangible intelligence on existing and emerging threats and create customized scripts and programs to enhance Red Team capabilities. The program discovers, analyzes, and weaponized zero-day vulnerabilities.
The program utilized various types of testing for complied applications to detect the types of byzantine faults and complex vulnerabilities that only emerge as a result of runtime interactions of components with external entities. Some types of testing include but not limited to fault injection, fuzzing, binary code scanning and other static analysis.
Written reports were generated detailing the following: affected products, versions, operating systems, and architectures, information on common configurations and product deployment, severity of the issue and privileges gained through successful exploitation, a description of the vulnerable component, disassembly or source code walkthrough of the vulnerable code, thorough description on exploitation covering reliability, likelihood, and difficulty, breakdown of the network traffic for both an attack as well as legitimate data, how to mitigate risk of exposure prior to a patch being available, a description of the included exploit and usage, network packet captures of both a malicious attack and benign traffic, an advanced exploit of the flaw (note: not just a “proof of concept”), additional documentation discussing the exploit payload or other intricacies, and an XML document for easy integration into SIEMs or other issue tracking software.
For implementation, we coordinated with US CERT, Army Red Teams/Penetration Testing Teams, and others to share information and to work with vendors to remediate the discovered issues. After implementation, the client received several accolades from their parent organization for developing the first proactive, bleeding-edge program of its kind!
Are You A Government Contracting Company?
We are a Minority and Veteran-Owned Small Business. And we are always happy to take on Joint Venture Partnerships with other Government Contracting Companies. Let's Talk!
Are You A Government Civilian or Military Leader?
As a former Government, GS-15, Civilian, United States Marine and Pentagon's Security Architect. I understand the struggles of protecting Web Applications within vast Enterprise Architectures. Let's Talk!
3 Steps to Better Protections, Better Solutions & Better Sleep
Schedule A Call
If you have a Government Web Application (Websites) that you NEED protecting then schedule a call. It is Free and in place so that we can better understand your mission and goals.
Get Your Plan
During your call, we will talk about your current situation, your desired situation, and weather or not we are a good fit to work together or not. And if we do work together then we will tell you how we can best protect your web application.
Protect Your Mission
Move forward with your mission and sleep easy by knowing that light will soon illuminate your Cyber world!