RT @joernchen: Today I have a more serious topic than usual, please consider reposting for reach:. My wife and I are urgently looking for a….

RT @spaceraccoonsec: At @defcon, I presented my research on client-side deanonymization attacks in @Google's Privacy Sandbox! Privacy resea….

Join millions who have switched to Grok.

We'll make an effort to make any future tool we create at Searchlight/Assetnote also be a part of this tool's site, even if we release an open-source repo of the direct tool. We want to make our tools and ideas accessible to everyone. Wordlists will always be free (0 credits).

More tools on the site: Expired Domain Checker, Registered Domain Search, Subdomain Takeover API, and Nowafpls, all accessible as an API. Credits replenish monthly, and every sign-up gets 100 credits. There are no paid plans; this is a free community project maintained by us.

We rebuilt Surf (SSRF Candidate Discovery) from scratch and made it something you can easily use inside your browser. Put in up to 1000 hosts, and we'll let you know which hosts are worth trying when exploiting SSRF. I use this tooling all the time when exploiting SSRF.

We also took feedback from the community, and our newest tool (Newtowner) now has a web version! This allows you to test access control bypasses by sending traffic from any Cloudflare datacenter region, or via AWS US-East-1.

Wordlists are now super easy to search for and download in bulk. Everything is API accessible, but you can DL from the web interface too. These wordlists have resumed updating from last month. I know a lot of people get value from these wordlists, so it's great to evolve it!

Today, we're releasing the new Searchlight Cyber (@SLCyberSec) tools website, which allows you to use several of our open-source tools for free via a web interface. You can self-register at (+ all our wordlists will be released there from now on!).

RT @BSidesCbr: KEYNOTE: Not All Vulnerabilities Are The Same.10 years ago, @infosec_au spoke at the first BSidesCbr. Now Australia’s top b….

The @SLCyberSec research team is releasing our final research post for our Christmas in July efforts, two RCEs and one XXE (all pre-auth) in Adobe Experience Manager Forms. One of the RCEs and the XXE still do not have official patches:

RT @kevin_mizu: I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Ha….

RT @_l0gg: Blog for ToolShell.Disclaimer: The content of this blog is provided for educational and informational purposes only. https://t.c….

For our third installment of Christmas in July, the @SLCyberSec Research Team is disclosing a critical authentication bypass vulnerability in ETQ Reliance that leads to RCE (CVE-2025-34143). Surprisingly, all you needed was a space to bypass auth.

I hope everyone got some rest after @DownUnderCTF this weekend. My colleague @hash_kitten wrote up a blog post on a novel technique for SQL Injection in PDO's prepared statements, required to exploit the “legendary” challenge, which only got one solve:

@Rhynorater @rez0__ Also, the %09 trick used for the AEM XSS was also a really noteworthy thing to highlight, again, really respect that they took the time to understand the broader impact of @hash_kitten's research. I think many people wouldn't have realised how broad it is before their podcast.

@Rhynorater @rez0__ I really appreciated that @Rhynorater identified the DotNetNuke bug as an order-of-operations issue. That's one of my favourite bug classes, and since it's very logical, it can be missed easily for an extended amount of time.

Enjoyed @Rhynorater's and @rez0__ 's takes on our Christmas in July research on the CTBB podcast. Give it a listen for a good summary! We have two more blogs scheduled to publish this month, wrapping up our research push for Christmas in July.

This month's Christmas in July release from @SLCyberSec's Security Research team is a pre-authentication RCE vulnerability in Sawtooth Lighthouse Studio (CVE-2025-34300). This software is prevalent and hidden in plain sight. Read more on our blog:

RT @samwcyo: When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) dis….

RT @BSidesCbr: Pre-auth bugs in enterprise software? Yes please. @hash_kitten takes us inside their research on Adobe Experience Manager—un….