depthfirst @depthfirstlabs
Autonomous Security From Design To Production depthfirst.com San Francisco Joined April 2025-
Tweets66
-
Followers503
-
Following25
-
Likes191
@TheHackersNews Thank you for the coverage @TheHackersNews
Blog post: depthfirst.com/research/21-ze…
We recently wrote about 21 FFmpeg zero-days we found earlier this year. Read the blog post about the findings and about how our security agent works in the comments.
🔥 AI just found 21 zero-days in FFmpeg. That’s the video library bundled inside many apps, tools, containers, and devices. Some bugs sat untouched for 15–20 years. Google Chrome also dropped PATCHES for a record 429 vulnerabilities this week. Read: thehackernews.com/2026/06/ai-age…
We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up: depthfirst.com/research/21-ze…
@arshammem @MartinShkreli @MartinShkreli we just wrote about how our security agent works and how we found 21 zero-days in FFmpeg after it was scanned by Google Big Sleep and Mythos. depthfirst.com/research/21-ze…
@MartinShkreli @depthfirstlabs post trains their own and combines with frontier models + gets context from your environment beyond the codebase.
AI agents are enabling every team to build useful software. This is incredibly exciting, but it also means the attack surface is changing. We recently learned that our adversaries are already using frontier models to create malware and exploit vulnerabilities. To address this, today we’re launching the depthfirst Dependency Firewall to find and block malware in supply chain dependencies before they’re installed. It uses the same engine that discovered NGINX Rift, now optimized to detect malware in open-source packages. We want companies to move faster with AI, without compromising security. Above all, @depthfirstlabs is a mission driven organization. This is another step towards achieving our mission of securing the world's software, an increasingly urgent need as artificial intelligence accelerates how software is built, deployed and attacked.
@sebuzdugan @qasimmith Agree with you @sebuzdugan - that's why depthfirst verifies exploitability conditions to surface real findings and minimize false positives
@aussiExau @qasimmith Thanks for the support @aussiExau - you'd help a lot if you could repost this to spread the word! x.com/qasimmith/stat…
Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in
Thanks @Forbes for the coverage. We want to give all defenders access to frontier-level security, today. We're offering $5m in credits to maintainers of critical OSS. Apply here: opendefense.dev
This Startup’s AI Found Critical Vulnerabilities That Anthropic’s Mythos Missed forbes.com/sites/thomasbr… (Photo: Depthfirst)
Impressive work by @hkashfi! It's great to see how fast the cyber community can work together
Still "Lab", but working fully remotely without any hardcoded offsets, bypassing ASLR on standard Ubuntu + Nginx deployment via an LFI primitive. There's still lots of room for improvement but I'm already out of tea and who cares? Just patch.
.@depthfirstlabs found NGINX Rift. We're giving $5m in credits to critical OSS projects, apply below. Regarding ASLR, please prioritize patching. ASLR makes the exploit harder, but still feasible.
🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every
Because regex-triggered vulnerabilities depend on the specific regex input, they are especially difficult for static analyzers (and humans) to find. This is impressive.
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at
Using the same system, we found NGINX RCE, Linux LPE, Chrome RCE, FFmpeg RCE and a lot of other critical Vulnerabilities, feel free to try it out! We are trying our best to help secure OSS!
Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in
depthfirst autonomously discovered, verified, and generated a patch for NGINX rift, an 18 year old heap overflow (CVSS 9.2). It leads to an RCE and is affecting most of the global web traffic. Follow the link in the comments to learn more.
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at
@nginx powers a large portion of global web traffic, and is used by major companies to run and secure their web services. This code had been there for 18 years and run countless times before we found the vulnerability.
@depthfirstlabs found a critical vulnerability in @nginx leading to RCE (CVE-2026-42945, CVSS 9.2). We recommend patching to 1.30.1 or 1.31.0 as as possible. Securing the world software is depthfirst mission and NGINX is one of the most widely deployed web server in the world
Jackie B @jackieberardo
7K Followers 4K Following Investing in the future @designerfund. Writing abt tech @hellofutureof @forbes. Prev. @instagram @meta design research. [email protected]
The Hacker News @TheHackersNews
1.5M Followers 2K Following The #1 trusted source for cybersecurity news, insights, and analysis — built for defenders and trusted by decision-makers.
Virender Aggarwal @Virender_VA
4K Followers 7K Following Helping companies ride the tsunami of AI. Embedding AI into products and offerings. Ex CEO of a listed SaaS co. retweets not Endorsement.
martian_bandit @BandidoMarciano
1 Followers 164 Following
karkar @0x0ed
2 Followers 133 Following
CATA @CataMollerb
237 Followers 965 Following
0xHackthelearning @GHak2learn27752
778 Followers 5K Following PENTESTER#CybserSecurity research in #Automotive #IoT #WirelessComm #SourceCodeAudit #AppSec noob and actively learning #AIML in CyberSecurity domain.
Mariano @mjpayano
146 Followers 921 Following
Edson Stima @edson_stima
36 Followers 61 Following ●Estudante/ Rapper ●Artista da C. Discográfica @cb_rsfem 💿🎼🎬🇦🇴 #CbRSFEM Novo Projecto 👇🏿
Alex Lee @alexjoelee
441 Followers 3K Following founder of @skip2networks, husband of @spookypengin and proud dad of a dog and a cat 🇺🇸🏳️⚧️🇺🇦🇵🇸
Nana Essuman @awotwe_williams
725 Followers 856 Following Arts in all forms🎨 health 🏨 Tech👨🏾💻 TO DARE IS TO DO!!
Kaushal Sheth @Kaushaladdis
157 Followers 4K Following
nini @kunotn53056
1 Followers 34 Following
ymmaS @Sec_Sammy
36 Followers 738 Following
sonny2k @Sonny2kay
290 Followers 2K Following
Tu Tri Mi @trimituvn
22 Followers 2K Following
Arlodev @arlodev
74 Followers 3K Following
Jorge @jorgegarccia
190 Followers 3K Following
InfosecGandalf @InfosecMinion
1K Followers 5K Following CISO, xMSFT, In weird relationship with coffee machines.
DexterNoN @d3xt3rnon
14 Followers 1K Following
hXX @DogechainMemer
3 Followers 184 Following
One @isnt_one_
46 Followers 1K Following
Infernal Heaven @Infernal_Heaven
10 Followers 2K Following 🇺🇦 Russia will disappear when the Ukrainian sun rises -DD. Україна або смерть!
Brian Halbach ☕️ @brianhalbach
1K Followers 6K Following Who has two thumbs and can count to ten. Does cyber security things | abyss gazer | opinions are my own | (he/him)
Mitch Lantz @lantzops
29 Followers 382 Following RHCSA | DevSecOps | Blue Team Building CI/CD AppSec labs to fight supply chain vulnerabilities. Defending the pipeline against vibe-coded shenanigans.
oxro0T @Oxro0T
7 Followers 436 Following
Sophie @Sophie196959144
1 Followers 52 Following
Brandon Romisher @brandonromisher
0 Followers 25 Following
STJ @thibautone
341 Followers 2K Following shitposting | ex-Red Teamer ex-@Namecheap ex @fdotinc @nullfellows | Author of https://t.co/jhCoyDEjf5
Martin Shkreli @MartinShkreli
529K Followers 9K Following https://t.co/vJE5wyGbhv https://t.co/GUy99qMPSm - join our start-up focused Discord! [email protected]
Solar Designer @solardiz
13K Followers 1K Following @Openwall founder, @oss_security maintainer, @lkrg_org co-author, @CtrlIQ Linux security engineer. RTs don't imply agreement with points of view.
Open Source Security ... @oss_security
5K Followers 9 Following @Openwall oss-security mailing list thread summaries, currently maintained by @solardiz. Originally setup and maintained as an automated feed by @eugeneteo.
Low Level @LowLevelTweets
52K Followers 1K Following 🏴☠️ Cybersecurity Content Creator 🧙 Security Researcher 📺 1M+ YouTube && Twitch Partner // prev: fuzzers & hypervisors @microsoft Business: [email protected]
Dark Web Informer @DarkWebInformer
216K Followers 76 Following One guy. Global cybercrime. Tracked so you don't have to. Ransomware, data breaches, dark web activity, darknet markets, IOCs & emerging threats. Stay informed!
Forbes @Forbes
20.3M Followers 5K Following Sign up now for Forbes' free daily newsletter for unmatched insights and exclusive reporting: https://t.co/v3UAa9BzAT
The Hacker News @TheHackersNews
1.5M Followers 2K Following The #1 trusted source for cybersecurity news, insights, and analysis — built for defenders and trusted by decision-makers.
Kirsten Green @kirstenagreen
128K Followers 1K Following Founder/Investor @ForerunnerVC. All in on founders building a future worth having.
QM @qasimmith
2K Followers 497 Following CEO of @depthfirstlabs. On a mission to secure the world's software. ex early databricks, AWS.
RSAC Parties @RSACParties
828 Followers 2K Following Unofficial listing of RSA & Vendor Parties at RSA Conference 2026. Not affiliated with RSA. Serverless build by @sheffus on @AWScloud. DMs to @reInventParties
Zhenpeng (Leo) Lin @Markak_
3K Followers 394 Following Ph.D., CTF player @Nu1L_team, now @StrawHat_CTF. #Pwn2Own winner. Author of #DirtyCred #Badiouring
Schneier Blog @schneierblog
145K Followers 0 Following Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru"
briankrebs @briankrebs
331K Followers 2K Following Independent investigative journalist. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter. Mastodon: https://t.co/fTKNavlMwp
@mikko @mikko
224K Followers 946 Following Researcher and a best-selling author. Keynote talks at RSA, Black Hat & DEF CON. TED Speaker. Chief Research Officer at Sensofusion.
Kevin Mitnick @kevinmitnick
270K Followers 3K Following Chief Hacking Officer @knowbe4, Security Consultant, Public Speaker, & Author Whistling ICBM launch codes since 1988 - account managed by Kimberley Mitnick
Maddie Stone @maddiestone
62K Followers 796 Following Security Researcher. Previously Google Project Zero and TAG | 0days all day. Love all things bytes, assembly, and glitter. she/her.
Chris Wysopal @WeldPond
55K Followers 1K Following Hacker. Co-founder/CTO Veracode. Former L0pht security researcher. GenAI Auto-repair of vulns is the future @weld.bsky.social @[email protected]
Colin Ainsworth @colineainsworth
74 Followers 425 Following
Dino A. Dai Zovi @dinodaizovi
39K Followers 1 Following Dino is human and can make mistakes. Please double-check responses.
Abhinav Kommula @AbhinavKommula
25 Followers 51 Following
John Heyer 🦆 @hohnjeyer
51 Followers 177 Following AI Hacking @ https://t.co/ohgiqgEJar ex ML @ scale / amazon / mit
mav @MavLevin
3K Followers 860 Following 0day security researcher sharing my work. prev: anthropic, unit 8200, stanford, trail of bits, calif
Andrea Michi @andreamichi
3K Followers 1K Following CTO @depthfirstlabs - Autonomous security from design to production. Prev RL post-training Gemini @GoogleDeepMindYou might like
