🗓️ Live on June 25: Hardening OT defenses w/ HD Moore & GigaOm Register
runZero CAASM
Image
Image

Exposure management needs a reboot. Great research is the key to innovating new solutions.

Securing your total attack surface has never been more challenging. We believe that applied research is fundamental to building better security solutions to address both new problems and the persistent ones that dog security teams. By sharing our research, tools, and knowledge with our community, we can help each other proactively improve our defenses and raise the bar on attackers.

Image

KEVology: an analysis of exploits, scores, & timelines on the CISA KEV

CISA’s Known Exploited Vulnerabilities (KEV) catalog is one of the most influential and misunderstood signals in vuln management. This new report by former CISA KEV Section Chief Tod Beardsley, breaks down how KEV entries behave and reveals what you should prioritize for real-world risk management.

Read the Report
Image

The New Rules of Risk: EPSS v5 and Agentic Adversaries

This month marks the official release of EPSS v5. To help you prepare, Tod Beardsley, Bri Cluck, and Stephen Shaffer (Co-Chair of the EPSS Special Interest Group) are teaming up! Join the conversation and see how your team can best use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic adversary.

Register Now
Image

Join HD Moore on June 25: Securing the modern IT/OT attack surface.

Join runZero Founder and CEO HD Moore, alongside GigaOm Analyst Chris Ray, as they discuss key methods for hardening OT defenses. They will also share exclusive insights from the 2026 GigaOm Radar for OT Security, which positioned runZero as a Challenger and Fast Mover in the Innovation/Platform Play quadrant.

Register Now

Tools built by the Research team

Practical tools to help you find, visualize, and prioritize the exposures that put your network at risk.

Image
Tool
KEV Collider
Developed and hosted by runZero, KEV Collider is a daily-updated web app built on open-source data, layering the CISA KEV catalog with the metadata and context required to prioritize real-world risk over hypothetical exploits.
Launch KEV Collider
Image
Tool
runZeroHound
runZeroHound is an open-source toolkit that converts runZero asset inventories (JSONL format) into BloodHound OpenGraph import files, enabling Cypher-based analysis of real network attack paths.
Learn More
Image
Tool
EPSS Pulse
EPSS Pulse monitors daily score changes so you can zero in on the vulnerabilities that truly matter. Get the context you need to confidently prioritize what poses the greatest risk to your environment.
Learn More
Image
Tool
SSHamble v3: Exploit SSH protocol vulnerabilities
SSHamble uncovers a range of weaknesses in SSH applications that affect critical network security devices and software.
Learn More

Research Reports

In-depth analysis and data-driven insights to help you prioritize risk and strengthen your exposure management program.

Image
Report
Undead by Design
End-of-life (EOL) operating systems remain an underestimated risk for enterprise networks.

This report uncovers EOL operating systems still shambling through U.S. enterprises and millions of assets, revealing the risks that haunt our networks.
Read the Report
Image
Report
Divining Risk: Deciphering Signals From Vulnerability Scores

Vulnerability scores promise clarity, but too often just add to the noise.

We analyzed signals from over 270,000 CVEs to reveal what CVSS, EPSS, and SSVC actually tell us — and what they don’t.

Read the Report
Image
Research Report: Volume 1
Uncovering Alarming Gaps & Unexpected Exposures
The runZero research team analyzed millions of assets across hundreds of enterprise networks, including internal infrastructure, internet-facing assets, and cloud environments. We found alarming gaps, unexpected trends, and much more.
Read the Report

Latest Research Blogs

Dive into the latest findings, insights, and observations on attack surfaces from our research team.

Image
Product
Announcing runZero 4.9: Unmask attack paths and segmentation gaps with advanced topology and deep OT device intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
Read More
Image
runZero Research
Making the CISA KEV actionable for real-world risk
If you want to understand what the KEV is actually telling you, read our new KEVology report, then take the analysis into the lab with the KEV...
Read More
Image
runZero Research
The runZero CNA is the newest CVE Numbering Authority!
runZero is now officially a CVE Numbering Authority!
Read More
Image
runZero Research
Winpocalypse: One month later, the zombies are multiplying
We’re just over a month out from the Winpocalypse, where all Windows 10 operating systems technically went end-of-life. Let's talk about it.
Read More
Image
runZero Research
runZero Hour recap: Beyond the veil with end-of-life OSes
In this episode, we talk about everything from current programming languages to mysterious firmware to, of course, the natural process of degrading...
Read More
Image
runZero Research
Windows 10 EOL: A Winpocalypse just like Y2K
The end of Windows 10 is here, and with it comes a surge of exploitable systems. Move fast and find your exposures before attackers do with runZero.
Read More
Image
runZero Research
From legacy to liability: New research report on end-of-life assets
End-of-life (EOL) operating systems don’t just fade away. They linger in enterprise networks like the undead — unchanging, unpatched, and...
Read More
Image
runZero Research
Fast ≠ careless: cutting exposure time without breaking things
This month’s runZero Hour wasn’t just another CVE rundown. We went deeper to uncover what it means to move fast without breaking things.
Read More
Image
runZero Research
Grappling with a post-CVE world
The writing is on the wall: an over-reliance on CVEs and agent-based approaches won’t keep you safe. So what else can you do to regain the upper hand?
Read More
Image
runZero Research
Webcast recap: see + secure everything in your OT environment
A recap of last week’s webcast, where the runZero research team dug into the hard-earned lessons of managing sensitive OT environments.
Read More
Image
runZero Research
runZero Hour, ep. 21 recap: highlights from Hacker Summer Camp
Our top insights, tools and stories from Hacker Summer Camp 2025.
Read More
Image
runZero Research
Introducing EPSS Pulse: monitoring volatility in vulnerability risk
Learn about the origins of EPSS Pulse — the free tool that highlights recent 'fast movers' among EPSS-evaluated, CVE-identified vulnerabilities.
Read More

Latest runZero Hour Episodes

Watch recent episodes of our monthly research webcast exploring all things exposure and timely security topics.

Image
Webcasts
runZero Hour, Ep. 30: Segmentation - stop assuming & start verifying with runZero 4.9
See runZero 4.9 in action! Join HD Moore and Tod Beardsley to learn how interactive attack path mapping and advanced OT intelligence expose hidden...
Watch Now
Image
Webcasts
runZero Hour, Ep. 29: Live, Laugh, Malware: LLMs in Cybersecurity
Join Tod Beardsley and Rob King as they welcome guest Caroline Wong, author of The AI Cybersecurity Handbook.
Watch Now
Image
Webcasts
runZero Hour, Ep. 28: Deep dive into OT retroencabulation
Tod Beardsley and Rob King were joined by special guest Ulises Fuentes Venado, Senior OT Pre-Sales Engineer at GuidePoint Security, for a thorough...
Watch Now
Image
Webcasts
runZero Hour, Ep. 27: KEVology 101 – observing exploit trajectories in the KEV Collider
In this episode or runZero Hour, Tod Beardsley, Rob King, and special guest Wade Sparks (CISA and VulnCheck KEV veteran) explore the science of...
Watch Now
Image
Webcasts
runZero Hour, Ep. 26: Exploring offseason resorts and OT networks with Brianna Cluck
In the first 2026 episode of runZero Hour, Rob King and Tod Beardsley chat it up with fan-favorite OT expert Brianna Cluck from GreyNoise...
Watch Now
Image
Webcasts
runZero Hour, Ep. 25: The Holiday Hackstravaganza!
Tod Beardsley, Rob King, (and special guests!) look back at 2025’s wildest vulnerabilities, standout research, and make bold predictions for 2026.
Watch Now
Image
Webcasts
runZero Hour, Ep. 24: Attack graphs with runZero and BloodHound!
In this episode, runZero's Tod Beardsley, Rob King, HD Moore and Jared Atkinson, CTO of SpecterOps, dive into the tangled world of modern attack...
Watch Now
Image
Webcasts
runZero Hour, Ep. 23: Beyond the veil with end-of-life OSes
In this episode of runZero Hour Rob King, Tod Beardsley, and captn3m0 (creator of endoflife.date) summon insights from runZero’s latest research...
Watch Now
Image
Webcasts
runZero Hour, Ep. 22: Poking the bear (safely) - our expanded vuln checks
We just added hundreds of new critical remote vulnerability checks to runZero that run safely across all your environments and are way faster than...
Watch Now
Image
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Watch Now
Image
Webcasts
runZero Hour, Ep. 20: Reshaping security with open source: Insights from ProjectDiscovery & runZero
On this episode, we celebrate open source collaboration with the minds behind ProjectDiscovery: Rishiraj Sharma and Sandeep Singh, the co-founders...
Watch Now
Image
Webcasts
runZero Hour, Ep. 19: Mission contextualize – LLMs, MCP, and the future of vulnerability intelligence
Jerry Gamblin joins us for a deep dive into today’s vulnerability landscape — from CVE trends and statistics to the launch of his new MCP (Model...
Watch Now

Latest Rapid Responses

Get tips on addressing 0-day threats and see how to uncover them immediately with runZero prebuilt queries.

Image
Rapid Response
How to find Drupal core instances on your network
Certain versions of Drupal core are affected by a SQL injection vulnerability in the database abstraction API. Here's how to find affected assets.
Read More
Image
Rapid Response
How to find Vercel Next.js instances on your network
Self-hosted Next.js applications using the built-in Node.js server are vulnerable to SSRF within the WebSocket upgrade handling mechanism.
Read More
Image
Rapid Response
How to find Cisco Catalyst SD-WAN installations on your network
Cisco disclosed versions of Cisco Catalyst SD-WAN Controller & Manager contain a vulnerability in the peering auth mechanism. How to find affected...
Read More
Image
Rapid Response
How to find Exim mail servers on your network
Certain versions of Exim are susceptible to a critical RCE vulnerability caused by a use-after-free condition in the BDAT body parsing path.
Read More
Image
Rapid Response
How to find F5 NGINX installations on your network
F5 published a security advisory that a high vulnerability was identified in multiple versions of NGINX products. Here's how to find NGINX...
Read More
Image
Rapid Response
How to find Fortinet FortiAuthenticator on your network
Fortinet disclosed in an advisory that a critical vulnerability was identified in versions of FortiAuthenticator.
Read More
Image
Rapid Response
How to find Fortinet FortiSandbox on your network
Fortinet disclosed in an advisory that a critical vulnerability was identified in versions of FortiSandbox.
Read More
Image
Rapid Response
How to find Ollama instances on your network
Certain versions of Ollama are susceptible to a heap out-of-bounds read vulnerability within the GGUF model loader. Here's how to locate affected...
Read More
Image
Rapid Response
How to find Palo Alto Networks devices running PAN-OS
PAN has disclosed that certain versions of PAN-OS are affected by an authentication bypass vulnerability in the GlobalProtect portal and gateway.
Read More
Image
Rapid Response
How to find Android Debug Bridge (ADB) on your network
Google disclosed that certain Android versions are susceptible to an authentication bypass vulnerability within the wireless ADB mutual...
Read More
Image
Rapid Response
How to find Progress MOVEit Automation installations on your network
Progress has disclosed that versions of MOVEit Automation are susceptible to two vulnerabilities within the service backend command port interfaces.
Read More
Image
Rapid Response
How to find LiteLLM instances on your network
LiteLLM has disclosed that certain versions of LiteLLM Proxy are susceptible to multiple vulnerabilities that can be chained together to achieve RCE.
Read More

Revisit Hacker Summer Camp!

Relive the highlights of our epic week at Hacker Summer Camp 2025 with talks and interviews across BSides, Black Hat, and DEF CON.

Image
Talks
DEF CON 33 - Shaking out shells with SSHamble (HD Moore)
This session is an extension of our 2024 work and includes new research as well as big updates to our open source research and assessment tool,...
Watch Now
Image
Talks
DEF CON 33 - There and back again: detecting OT devices across protocol gateways (Rob King)
Presented by Rob King at DEF CON 33, this talk discusses techniques for detecting devices on the "other side" of protocol gateways.
Watch Now
Image
Podcasts
The often-overlooked truth in cybersecurity: seeing the unseen in vulnerability management
Sean Martin (ITSPmagazine) speaks with HD Moore about an overlooked truth in cybersecurity: the greatest risks are usually the things you don’t...
Watch Now
Image
Podcasts
You can’t get there from here: why we need a new way to manage exposure
At Black Hat 2025, CyberRisk TV sits down with HD Moore for a no-BS conversation on why vulnerability management is still failing enterprises.
Read More
Image
Talks
Charting the SSH multiverse with HD Moore (BSidesSF 2025)
Watch runZero founder HD Moore, explore the multitude of SSH implementations, their specific weaknesses, and real-world exposures.
Watch Now
Image
Talks
Forging strong cyber communities in uncertain times
HD Moore and Nicole Schwartz explore what it takes to create and foster robust cybersecurity communities and why we should all get involved in...
Watch Now
Image
Webcasts
runZero Hour, Ep. 21: Hacker Summer Camp recap!
In this post-Hacker Summer Camp recap, Tod Beardsley, Rob King, HD Moore, and Matthew Kienow break down the most practical insights from BSidesLV,...
Watch Now
Background Image

Explorers, innovators, & experts

Meet the team behind our research.

We are a group of industry veterans with decades of experience in information security, who are committed to runZero’s foundational principle that applied research makes for better asset discovery, and that better asset discovery is the foundation of modern exposure management.

The goal of the runZero research team is to discover incredibly efficient ways to pinpoint at-risk devices and quickly get this information into the hands of our customers and community. We achieve this through both precise fingerprinting and fast outlier analysis across IT, OT, IoT, cloud, mobile, and remote environments. 

Image
Image

HD Moore

Founder & CEO, runZero

Image Image Image

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More from HD Moore
Image

Tom Sellers

Principal Research Engineer

Image Image

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has...

More from Tom Sellers
Image

todb

VP, Security Research, runZero

Image

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infra...

More from todb
Image

Matthew Kienow

Vulnerability Researcher

Image

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deploye...

More from Matthew Kienow
Image
Image
Image

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try it Free
Image
Image
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved