Fortbridge

22/01/2026

2025 in review at FORTBRIDGE

A year of original security research, community, and sharing knowledge - across three continents.

𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 𝗳𝗿𝗼𝗺 𝟮𝟬𝟮𝟱

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵
This year we published and presented three original research projects , including:

• 𝗙𝗲𝗲𝗹𝗱 𝗱𝗮𝘁𝗶𝗻𝗴 𝗮𝗽𝗽 - critical issues exposing highly sensitive user data
• 𝗩𝗲𝘀𝘁𝗮 𝗔𝗱𝗺𝗶𝗻 𝗧𝗮𝗸𝗲𝗼𝘃𝗲𝗿 - exploiting reduced seed entropy in bash RANDOM to achieve full control panel compromise
• 𝗖𝗼𝗻𝗰𝗿𝗲𝘁𝗲 𝗖𝗠𝗦: Two races, one RCE - two race conditions leading to remote code ex*****on.

Our work on Vesta was also nominated for 𝗣𝗼𝗿𝘁𝗦𝘄𝗶𝗴𝗴𝗲𝗿 𝗧𝗼𝗽 𝟭𝟬 𝗪𝗲𝗯 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 𝗼𝗳 𝟮𝟬𝟮𝟱, which we’re particularly proud of.

Our work was also covered by The Guardian and The Register, helping bring responsible security research into the mainstream.

𝗖𝗼𝗻𝗳𝗲𝗿𝗲𝗻𝗰𝗲𝘀 & 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝘁𝘆
We had the chance to present our research across the US, Canada, Europe, and Asia including:

• 𝗘𝘂𝗿𝗼𝗽𝗲: APIDays London, BSides Kent, BSides Bournemouth, BSides Bristol, SteelCon & DotNetSheff (Sheffield), BSides Budapest, BSides Dresden, BSides Galway, Pass the SALT Lille, Owasp Porto
• 𝗡𝗼𝗿𝘁𝗵 𝗔𝗺𝗲𝗿𝗶𝗰𝗮: BSides Calgary, HackMiami, DEF CON 33 (Las Vegas)
• 𝗠𝗶𝗱𝗱𝗹𝗲 𝗘𝗮𝘀𝘁: BlueHat (Tel Aviv)

𝗚𝗶𝘃𝗶𝗻𝗴 𝗯𝗮𝗰𝗸 & 𝗚𝗿𝗼𝘄𝗶𝗻𝗴 𝘁𝗵𝗲 𝗻𝗲𝘅𝘁 𝗴𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝗼𝗻
We worked with 𝘁𝗵𝗿𝗲𝗲 𝗶𝗻𝘁𝗲𝗿𝗻𝘀 this year, focusing on hands-on offensive security, real-world tooling, and research workflows.

As part of giving back to the community, we also sponsored BSides Dresden, supporting independent, community-driven security events in Europe.

Thanks to everyone who attended our talks, asked tough questions, reviewed our research, or collaborated with us along the way - and to the organisations who trusted us with responsible disclosure and remediation.

Looking forward to building on this in 2026.
—
FORTBRIDGE

*******ontesting

28/04/2025

🌎 North America Cybersecurity Tour: May 2025 – Let’s Connect! 🌎

We’re excited to share that our very own Bogdan Tiron will be speaking at Bsides Calgary (May 1–2) and Hack Miami (May 17), presenting his latest research: "𝗘𝘅𝗮𝗺𝗶𝗻𝗶𝗻𝗴 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗶𝗻 𝗚𝗿𝗮𝗽𝗵𝗤𝗟 – 𝗔 𝗙𝗲𝗲𝗹𝗱 𝗖𝗮𝘀𝗲 𝗦𝘁𝘂𝗱𝘆."

As part of the tour, Bogdan will be traveling across Canada and the US, and is looking forward to meeting fellow security professionals, CISOs, and AppSec leaders for coffee, tech chats, or networking:

🔹 𝗖𝗮𝗹𝗴𝗮𝗿𝘆 – Apr 30 to May 4 (speaking at BSides Calgary on May 1–2)
🔹 𝗦𝗲𝗮𝘁𝘁𝗹𝗲 – May 4 to May 8
🔹 𝗗𝗲𝘁𝗿𝗼𝗶𝘁 – May 8 to May 11 (attending BSides Detroit)
🔹 𝗪𝗮𝘀𝗵𝗶𝗻𝗴𝘁𝗼𝗻 𝗗𝗖 – May 11 to May 14
🔹 𝗠𝗶𝗮𝗺𝗶 – May 14 to May 18 (speaking at HackMiami on May 17)

If you're based in any of these cities and would like to discuss securing modern applications, pentesting, phishing, red teaming, or hear more about our Feeld security research (featured in The Guardian and The Register), feel free to reach out — we'd love to connect!



Looking forward to connecting with many of you along the way! 💥

03/04/2025

We've been diving deep into what we learned from
Zero Point Security's RTO and RTO II training — and decided to put that knowledge to use.

💡 The result? A custom variant of the Sliver C2 framework built to fly under the radar, bypassing Windows Defender and Elastic EDR with minimal code edits.

This was part of a hands-on research project developed by our brilliant intern, Samuel Birkinshaw.

The results speak for themselves.

🧪 Check it out:
🔗 https://fortbridge.co.uk/research/reforging-sliver-how-simple-code-edits-can-outmaneuver-edr/

Learn how sliver can help you bypass EDR with tailored adaptations and discover the benefits of open source security tools.

03/04/2025

We're excited to announce that Adrian Tiron will be speaking at BlueHat IL, organized by Microsoft!

Adrian will start by poking at the PHP-based web interface of Vesta Control Panel — then take a detour into PHP internals (C) and bash source (also C) to understand how weak entropy in $RANDOM can lead to full admin takeover. From there, he’ll walk through the custom exploit logic — mixing in a bit of Rust and Python to bring it to life.

Join us in celebrating his innovative research and connecting with fellow cybersecurity professionals at BlueHat IL!

03/04/2025

🐱 The cat is out of the bag! 🐱

Bogdan Tiron and Adrian Tiron will be speaking at BSidesBUD - IT Security Conference in May!

Once again, FORTBRIDGE has two presentations at a BSides conference—continuing our tradition of delivering cutting-edge cybersecurity insights to the community.

This isn't the first time we've brought multiple talks to BSides, and it certainly won't be the last. Stay tuned for more details on what we’ll be presenting!

Looking forward to seeing you in Budapest! 🇭🇺

03/04/2025

The UK Telecoms Security Act (TSA) is a crucial regulation aimed at strengthening the security of telecom networks against ever-evolving cyber threats.

Tier 2 operators must be fully compliant by March 31, 2025—is your organization prepared?

In our latest blog post, we cover:

✅ The purpose, scope, and key requirements of the TSA
✅ Compliance challenges, and penalties for non-compliance
✅ The vital role of pe*******on testing in securing telecom networks
✅ How businesses can align with regulatory frameworks

🔗 Read the full blog post to stay ahead of compliance and enhance your telecom security:
https://fortbridge.co.uk/regulations/pentesting-for-uk-telecoms-security-act/

Learn about the UK Telecoms Security Act and how pe*******on testing helps ensure compliance and strengthen telecom network security.

03/04/2025

This past weekend, Adrian Tiron had an amazing time speaking at BSides Kent, and it was truly an unforgettable experience. Engaging with such a passionate audience, exchanging ideas, and diving deep into cybersecurity discussions made it all the more rewarding.

A huge shoutout to his fellow speakers—Stephan Berger, Joshua Limbrey, Donato Capitella, Sam Macdonald, Sadiyah Saeed, Jason R.C. Nurse, Bisola Kayode CISSP, CISM, Clare Patterson, Santi Abastante, and Lorna A.— it was a privilege to share the stage with such brilliant minds delivering thought-provoking talks.

A massive thank you to the BSides Kent organizers—Jason Steer, James Spear, and Lucy M.—for making this event possible. Your hard work and dedication to the cybersecurity community do not go unnoticed!

And to everyone who attended — thank you for the great questions, conversations, and good vibes throughout the day. Events like these are a reminder of why I love being part of this community.

Many thanks to everyone who reached out, asked questions, or simply wanted to connect and chat — it was a real pleasure interacting with you all! The event totally exceeded our expectations.

Already looking forward to the next one!

03/04/2025

This past weekend, Bogdan Tiron had the privilege of speaking at BSides Galway, where he shared insights on API security and access control vulnerabilities from our research at FORTBRIDGE. It was an incredible experience discussing real-world risks and engaging with such a knowledgeable audience.

We were pleasantly surprised by the level of interest and curiosity from the attendees as he received a lot of great questions at the end of his talk about law, privacy, logs, pentesting, REST/GraphQL, and more. It’s always exciting to see such enthusiasm for cybersecurity!

A huge thank you to everyone who attended, asked questions, and shared their thoughts. Your support and feedback made this session truly rewarding! 🙌

Special thanks to Scott Thomas and Tom Hickey for organizing such a fantastic event and to all the volunteers who helped make BSides Galway a success. Your hard work and dedication truly made a difference!

Looking forward to more insightful conversations in the cybersecurity community!

03/04/2025

With cyber threats on the rise and data breaches making headlines, organizations must strengthen their security measures to meet regulatory requirements. The HITRUST CSF provides a unified framework for managing security and compliance, but achieving certification requires more than just policies—it demands proactive testing.

In this blog post, we break down HITRUST CSF, its key requirements, challenges, and how pe*******on testing plays a crucial role in achieving compliance. Plus, we explore the penalties for non-compliance and the future of HITRUST CSF.

🔍 Read the full blog post here:

https://fortbridge.co.uk/regulations/why-pe*******on-testing-is-critical-for-hitrust-csf-compliance/

Learn how HITRUST CSF and pentesting strengthen cybersecurity and ensure compliance, safeguarding your organization's sensitive data.

03/04/2025

🚨 𝗧𝗵𝗲 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗢𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 𝗔𝗰𝘁 (𝗗𝗢𝗥𝗔) 𝗖𝗼𝗺𝗲𝘀 𝗶𝗻𝘁𝗼 𝗙𝗼𝗿𝗰𝗲 𝗧𝗼𝗱𝗮𝘆! 🚨

Today marks a significant milestone for cybersecurity and operational resilience across the EU. With DORA officially in effect, organizations must now align their digital operations with robust resilience practices to mitigate cyber risks effectively.

To help you navigate these changes, we’ve published an insightful blog post: "𝗨𝗻𝗱𝗲𝗿𝘀𝘁𝗮𝗻𝗱𝗶𝗻𝗴 𝗗𝗢𝗥𝗔: 𝗜𝗺𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀 𝗳𝗼𝗿 𝗣𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀".

𝗧𝗵𝗶𝘀 𝗽𝗼𝘀𝘁 𝗰𝗼𝘃𝗲𝗿𝘀:

✅ Companies in scope
✅ Pe*******on testing requirements, including Threat-Led Pe*******on Testing (TLPT)
✅ Testing frequency and guidelines
✅ Internal vs. external testers
✅ ICT third-party risk management

Whether you’re a financial entity or an ICT service provider, this blog post will guide you through DORA’s key provisions, ensuring compliance and a stronger cybersecurity posture.

🔗 𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗮𝗿𝘁𝗶𝗰𝗹𝗲 𝗵𝗲𝗿𝗲:
https://fortbridge.co.uk/regulations/understanding-dora-implications-for-pe*******on-testing-practices/

Stay informed. Stay resilient. Let’s embrace the new era of operational resilience together!

Explore the Digital Operational Resilience Act (DORA) and its pivotal impact on pe*******on testing in the EU financial sector.

03/04/2025

🌐 𝗣𝗲𝗻𝗲𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗳𝗼𝗿 𝗜𝗦𝗢/𝗜𝗘𝗖 𝟮𝟳𝟬𝟬𝟭: 𝗬𝗼𝘂𝗿 𝗨𝗹𝘁𝗶𝗺𝗮𝘁𝗲 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗚𝘂𝗶𝗱𝗲

In a world where cyber threats are ever-evolving, securing sensitive information isn’t just a priority—it’s a necessity. ISO/IEC 27001 provides a globally recognized framework to protect your organization’s valuable data, enhance trust, and ensure regulatory compliance.

𝗢𝘂𝗿 𝗹𝗮𝘁𝗲𝘀𝘁 𝗯𝗹𝗼𝗴 𝗽𝗼𝘀𝘁 𝗱𝗶𝘃𝗲𝘀 𝗱𝗲𝗲𝗽 𝗶𝗻𝘁𝗼:

✅ What ISO/IEC 27001 is and why it matters
✅ The certification process and compliance requirements
✅ The critical role of pe*******on testing in fortifying your ISMS
✅ Future trends and best practices for resilience

Whether you're just starting your compliance journey or looking to strengthen your security posture, this guide has everything you need.

🔗 𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗯𝗹𝗼𝗴 𝗽𝗼𝘀𝘁 𝗵𝗲𝗿𝗲:

https://fortbridge.co.uk/regulations/pe*******on-testing-for-iso-iec-27001-a-detailed-guide-to-compliance/

👉 Don’t let security be an afterthought. Learn how to stay ahead in today’s cyber landscape!

Discover everything you need to know about ISO/IEC 27001, from its purpose and implementation to its role in enhancing cybersecurity and achieving compliance.