Part 3 of our Entra ID blog series looks at common weak PIM configurations, practical abuse scenarios, and how to identify them with EntraFalcon: blog.compass-security.com/2026/04/comm...

🏃‍♂️ Time for a security workout. Sanitas is launching its #bugbounty program and inviting ethical hackers to help keep its digital healthcare services in peak condition.

Hunt vulnerabilities and help protect critical healthcare systems: bugbounty.compass-security.com/bug-bounties...

Unprotected groups in Entra ID can lead to privilege escalation.

Part 2 of our 4-part series shows how weakly protected groups can be abused to bypass controls, gain privileged access, and lead to full compromise - and how to detect this with EntraFalcon: blog.compass-security.com/2026/03/comm...

✨ We’re excited to welcome Compass Security as a Platinum Sponsor for the AREA41 security conference 2026 🛸 👽
Thank you for supporting the infosec community, we look forward to seeing you‼️

➡️ Check them out at: compass-security.com
@compass-security.com
📅 June 18-19. 2026, Zürich - area41.io

Foreign enterprise apps can expose your Entra ID tenant.

Today, we release part 1 of our 4-part weekly series on common Entra ID pitfalls and how to detect them with EntraFalcon.

Learn how external apps can lead to data access or worse: blog.compass-security.com/2026/03/comm...

EntraFalcon update 🚀 The new Security Findings Report turns Entra ID enumeration into actionable findings with 60+ checks and colorful charts. Read Chrigi's @zh54321.bsky.social blog and try the tool now on your tenant!

blog.compass-security.com/2026/03/from...

#EntraID #CloudSecurity #EntraFalcon

WinGet can be more than a package manager. We show how .𝚠𝚒𝚗𝚐𝚎𝚝 configs + a self-referencing LNK become a viable initial access payload when Microsoft Store is enabled. Includes detection queries & mitigation tips.
blog.compass-security.com/2026/03/wing...
#RedTeam #Windows #LOLBins #InitialAccess

John Ostrowski (Compass Security) and Manuel Kiesel (Cyllective AG) worked together on CVE-2025-13154, a Lenovo Vantage LPE. Even after Microsoft closed a known primitive, collaboration led to a working PoC.

blog.compass-security.com/2026/02/from...

#Windows #CVE #SecurityResearch #PrivEsc

A night full of exciting happenings. Compass #Pwn2Own team chained zero days to run code on the Canada built Grizzl-e Smart level 2 charger. Colleagues also demoed the manipulation of of the charging control protocol. Well earned 25‘000 USD!

We have exciting news to share. Compass folks made the Alpine car infotainment system to run arbitrary code and earn a 10‘000 USD. 🎉🎉🎉

Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto

How do we keep our security analysts up to date?
Our latest blog post looks inside our internal training week, from Kubernetes security to red teaming and our annual Security Boot Camp.

blog.compass-security.com/2026/01/cont...

#CyberSecurity #Learning #Pentesting #Kubernetes

Zero Day Initiative — Pwn2Own Automotive 2026 - The Full Schedule おかえりなさい (Welcome back!) The third annual Pwn2Own Automotive competition has returned to Automotive World in Tokyo, and the excitement is building. This year marks a major milestone for Pwn2Own, with...

The schedule is out! 🗓️ We’re hitting the stage on January 21st at 12:30 JST (4:30 CET) and at 14:00 JST (6:00 CET). Time to see if all the work in the lab pays off. Wish us luck! #Pwn2Own

www.zerodayinitiative.com/blog/2026/1/...

Here we are again! Finally on the ground for #Pwn2Own Automotive in Tokyo 🏎️💻 Our team is ready, and we’re just waiting for the Tuesday draw to see when we’re up. Big week ahead! Stay tuned! 🛠️🔥

co//aboration…ftw! Thanks for the kudos!

The final stage would not have been possible without John Ostrowski from @compass-security.com thanks for the Swiss infosec collaboration! 🫕🤝

co//aboration… ftw. Thanks for the Kudos!

Thank you #BugHunters for your relentless curiosity and clean reports that keep our customers #BugBountyProgram sharp.

Soon to announce: Switzerland's highest max. bounty ever, new programs and budget refills. Stay tuned! For now: shutdown, enjoy the festive season and recharge.

Fuzzing and AFL++ YouTube video by Compass Security

In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.

Watch here: youtu.be/L5Tin7m5sbE?...

#security #fuzzing #AFLplusplus #appsec

300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race YouTube video by Compass Security

New video out!

Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.

Watch here: youtu.be/YwNcTuHxnAI

#security #pentest #windowsinternals #vulnresearch

300 Milliseconds to Admin: Mastering DLL Hijacking and Hooking to Win the Race YouTube video by Compass Security

New video out!

Security analyst John Ostrowski show the hands-on process behind discovering CVE-2025-24076 and CVE-2025-24994 described in our recent blog post.

Watch here: youtu.be/YwNcTuHxnAI

#security #pentest #windowsinternals #vulnresearch

NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.

blog.compass-security.com/2025/11/ntlm...

Windows Access Tokens - From Authentication to Exploitation YouTube video by Compass Security

Want to understand how Windows handles authentication and access tokens? Security analyst @emanuelduss.ch explains how they’re created, used, and abused - with live demos.

🎥Presentation: youtu.be/_ODdwpxXRR4?...

#Security #Pentest #WindowsInternals

🎉Success. Our #Pwn2own team combined #zeroday bugs to #exploit @home-assistant.io green which earned them $20'000 and 4 pts. Congratz to @bcyrill.bsky.social Emanuele, Lukasz @muukong.bsky.social and @yvesbieri.bsky.social.

Respect to @stephenfewer.bsky.social and the Summoning Team for the wins.

So proud. Congratz. This is pwntastic!

🧭 Navigation complete! The team from Compass Security just charted a course straight into @home_assistant Green at #Pwn2Own. They head off to the disclosure room to spill how they did it. #P2OIreland

#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...

Zero Day Initiative — Pwn2Own Ireland 2025: The Full Schedule Welcome to Pwn2Own Ireland 2025! We have some amazing spooky entries for this year’s contest, and a potential of up to $2,000,000 - including our largest ever single prize for a 0-click in WhatsApp fo...

@thezdi.bsky.social #Pwn2own schedule is out. Compass folks have been drawn 3rd to exploit the @home-assistant.io Green for $40,000. 🤞for a #bounty today Tuesday Oct 21st, 5pm (Swiss time). #ethicalhacking

Schedule www.zerodayinitiative.com/blog/2025/20...

Heading to Cork for #Pwn2Own Ireland 🇮🇪. Watch the live draw at 15:00 (Swiss time) to see which target we’ll be taking on 👀🔗 www.linkedin.com/events/pwn2o...