Finding creative solutions to solve the world’s most difficult security problems

Improving the security and privacy of data and systems internally and for the broader security community requires a deep commitment to innovation. It’s through our research and development team that we’re able to develop new research, create security tools, and publish technical artifacts that contribute to the continuous improvement of the offensive security space.

Coalfire at convention

Join our team of innovators.

Ready to solve some of the world's toughest cybersecurity challenges? Explore our open positions.

Apply today

Stay a step ahead.

Follow our R&D team on Twitter to hear about our latest projects and tools.

See the latest

Featured tools


ERC is an open source Windows exploit development framework that is available on GitHub as an API or a X64dbg plugin.

iOS 11 Jailbreak

For iOS 11.1.2 (15B202) – if you don’t have this exact version, it won’t work for you.

Key tools and findings

Browse by topic
  • All
  • Discovery
  • Exploit development
  • Internet of Things
  • Password cracking
  • Mobile
  • Open source intelligence (OSINT) and social engineering
  • Post-exploitation
  • Reverse engineering
  • Web application testing


ERC is an open source Windows exploit development framework that is available on GitHub as an API or a X64dbg plugin.

iOS 11 Jailbreak

For iOS 11.1.2 (15B202) – if you don’t have this exact version, it won’t work for you.


Give the script a newline separated list of subnets, and it scans each subnet for life hosts and writes a certain percentage of random live IPs from each subnet to a SampleIPs.txt.


Detect cve2012-0053 with this Nmap plugin.

The dangers of client probing on Palo Alto firewalls

Gain a better understanding of the risks associated with User-ID and the particularly dangerous Client Probing option within it.


Used for debugging Windows application crashes. ERC.Net supports 64- and 32-bit applications; parses DLL/EXE headers; identifies compile time flags (ASLR, DEP, SafeSEH); generates non-repeating patterns and platform-specific egg hunters; and more.  


Assists in exploit development process with an X64dbg plugin built around the ERC library.

Fuzzing: common tools and techniques

A software testing methodology, fuzzing is used from a black- or white-box perspective and provides deliberately malformed inputs to an application to identify errors that could cause further compromise.

The basics of exploit development

Learn more about the creation of an exploit for a 32-bit Windows application vulnerable to a buffer overflow using X64dbg and the associated ERC plugin.

Internet of Things

See how easy it was for hackers to attempt to cause life-threatening harm by weaponizing one of today’s increasingly common and cheap devices: a 3D printer.


Built from serverless components in AWS and designed for easy deployment, NPK brings high-power hash-cracking to everyone.


Send hashes to hashcat to be cracked with this Willie module. As soon as a hash is cracked, HashBot PMs the invoker with the cracked hash and plaintext.


An OSINT tool specifically for developers.


A full-fledged Python3 Metasploit automation library that can interact with Metasploit through msfrpcd or the msgrpc plugin in msfconsole.

Executing Metepreter on Windows 10

Windows Defender blocks Metasploit’s Web Delivery module. Learn an alternate way to achieve the same goal – without dropping files on the host system – and provide more options depending on which ports can egress the network.

PowerShell: in-memory injection using certUtil.exe

Use PowerShell, Invoke-CradleCrafter, and Microsoft’s Certutil.exe to craft a payload and one-liner that can evade Windows Defender, and get tips to avoid getting caught by intrusion detection systems and behavior analysis.


A Golang implant that uses Slack as a command-and-control channel.


A stealthy Python-based backdoor that uses Twitter direct messages as a command-and-control service.


A suite of tools that interact with Intel AMT.

Reverse engineering and patching with Ghidra

Delve into reverse engineering and patching software using the open-source NSA tool Ghidra, which rivals expensive competitors (e.g., IDA Pro) in value and ease of use.


Use mitmproxy to intercept all HTTP traffic and automatically forward HTTP GET and Post requests to SQLMap’s API to test for SQLi and XSS.

Auto fuzz cookies to detect weaknesses that can lead to additional vulnerabilities and create screenshots.

Java Deserialization Exploits

Explore a collection of curated Java deserialization exploits.

The right way to test JSON parameters with Burp

Discover a Burp trick to help find instances of command execution and lots of SQL injection in other applications.


Helper functions for describing AWS infrastructure. Intended for writing tests, Carvajal can also monitor and audit. Look up variables, data sources, and other terraform objects with terraform helpers.

Compliance testing

Get real-life lessons that you can apply to your security program from our pen tester who found two zero-days and used them to break a system from no access to work.