Research & Development
Do not follow where the path may lead, go instead where there is no path and leave a trail
Cybervelia Ltd
We leverage a combination of static and dynamic analysis, tailored instrumentation, and in-depth reverse engineering to uncover hidden vulnerabilities across a wide range of systems. Our capabilities include data-flow checks at the intermediate-representation level, real-time execution tracing, and both general-purpose and protocol-specific fuzzers. We’ve also developed in-house wireless tools for probing IoT protocols and devices, and we reverse engineer ROM firmwares, desktop and mobile software to expose obscure flaws. This integrated approach enables rapid detection, validation, and prioritization of critical security issues—even in highly optimized or obfuscated targets.
Vulnerability Discovery - Static Analyzer
Our team has built an end-to-end vulnerability discovery pipeline focused on uninitialized stack variables, combining a bespoke Binary Ninja plugin with rich interprocedural data-flow analysis, size inference heuristics, and false-positive pruning. We seamlessly integrate IDA Pro symbol imports to restore human-readable function names, and leverage Intel PIN traces to filter findings against real execution paths. By reconstructing locals, detecting read-before-write events via MLIL SSA, inferring unknown buffer sizes, and mapping Parent→Middle→Affected call chains, we’ve systematically uncovered and triaged previously hidden information-leak risks in stripped binaries. This robust framework has enabled our company to identify high-impact ULV issues with precision and efficiency, demonstrating our leadership in automated binary-level vulnerability analysis. In our blog we published a dedicated article explaining the research behind this effort.
Vulnerability Discovery - Bluetooth Low Energy Fuzzer
We developed a Bluetooth Low Energy fuzzer that plugs into any coverage‐guided fuzzing engine. As the target firmware exercises new execution paths—even marginally—the fuzzer preserves those inputs, adds them to its corpus, and mutates them according to preconfigured heuristics. This ensures that each test run builds on the previous coverage gains, driving exploration deeper into the protocol’s state space. Under the hood, we achieved this by instrumenting the Zephyr RTOS’s BLE stack on the device and coupling it to a host‐side harness on Linux, which handles feedback-driven input selection and corpus management.
BLE:Bit - BLE Security Assessment Toolkit
BLE:Bit tool is a comprehensive framework for Bluetooth Low Energy research and testing. It provides both Central and Peripheral hardware engines that let you intercept, inspect, and manipulate BLE traffic in real time. With BLE:Bit you can discover services and characteristics, clone or replay attribute read/write operations, and even inject or modify pairing data on the fly. Its support for multiple pairing methods—No Input/Output, Just Works, Passkey Entry, and Numeric Comparison—combined with built-in encryption key display and encryption-avoidance capabilities, makes it a go-to platform for deep BLE protocol analysis and vulnerability discovery. More at https://blebit.io
Threat Intelligence - Continuous External Assets Monitoring
Moreover, we’ve built a continuous external-asset monitoring platform that keeps tabs on every internet-facing component of a client’s infrastructure. Our discovery engine automatically maps domains, subdomains, IP ranges, cloud services, certificates, and any overlooked endpoints. Whenever a new or forgotten asset appears—or an existing one exhibits a security gap, misconfiguration, or out-of-date software—it’s immediately flagged. By combining regular scans with intelligent risk scoring, we give clients real-time visibility into exposures they never knew existed, along with clear, prioritized recommendations for remediation.
Threat Identification and Classification
We’ve also deployed a global network of honeypots to observe and record malicious web traffic in real time. By capturing incoming requests across diverse endpoints, we build a rich dataset that’s fed into a blend of AI-driven classifiers and custom heuristics. This analysis automatically groups attackers by behavior patterns, assesses the severity of each campaign, and assigns a criticality score to every source IP. We then deliver actionable reports to our clients—complete with prioritized target lists and risk levels—so they can focus their defenses on the most pressing threats.
High-interaction custom-built Honeypot
We deployed genuine Linux servers—each running a custom-built kernel— as our honeypot platform to draw in botnets and adversaries. When an attacker interacts with these modified systems, our in-house kernel modules transparently hook critical system calls to log every file operation, network transaction, and process execution to a secure storage. Rather than streaming data in real time, we retain these logs for detailed, manual session-by-session analysis. This hands-on approach delivers deep visibility into modern threat actor tools, techniques, and procedures, driving continuous refinement of our defenses.