Turning Small Findings into Full Attack Paths
Most offensive security teams stop where curiosity should begin.
They find the vulnerability, document the risk, and move on. The report gets delivered, the box gets checked, but a single flaw is not always a single flaw.
For a security program, that creates a dangerous gap between what’s reported and what’s actually possible.
At OnDefend, we take a different approach.
Because breaking something isn’t the goal, understanding how far it can be broken is.
What Actually Makes an Offensive Security Team “Elite”
It’s one thing to have a large in-house team (which we do), but can that team really give customers a glimpse into what attackers see? An attack path is the sequence of steps an attacker can take to move from an initial vulnerability to full system compromise. Can they mimic attacker tradecraft closely enough to find, and help fix, flaws before the worst happens?
Maybe the biggest difference in how OnDefend serves clients is how deep we dive before we label something as a finding. You’ve probably seen findings where a lot of “coulds,” “mights,” and “possibles” show up. This is where the OnDefend team digs in further and works to answer whether those coulds, mights, and possibles are true, giving customers much richer context around the actual risk presented.
Working through different scenarios to show the impact of a finding often leads to our OnDefenders not only developing capabilities that are helpful in navigating the current finding, but also building better attack paths in the process.
Take Five
Real-World Example One: Discovering a Hidden Attack Path
Watch the video as OnDefend CTO, Ben Finke walks through a real-world example of how our elite red team uncovered a hidden attack path inside a modern application environment using continuous security testing.
The Outcomes
Real-World Example Two: Never Stopping at “Well, We Found Something”
In the example highlighted in the video above, our OnDefend offensive security team found an application in use by a customer that used an embedded web browser. By doing some reverse engineering, the team found the configuration for the embedded web browser was insecure. For many other firms, this is where the finding ends, but that’s not how OnDefend operates.
With some extra digging, our team identified the specific conditions under which that vulnerability could be exploited and built a proof-of-concept exploit chain that allowed for the complete compromise of a system running that application by simply opening a file.
When discussing the finding with the client, there was no need to debate the severity of the issue, nor was it difficult to judge whether the proposed fix would effectively resolve it.
Real-World Example Three: One Small Flaw Is Never Just One Flaw
An OnDefender assessed a hardware device with multiple connectivity modes, including Wi-Fi, cellular, Bluetooth, and more, to determine the security of the stored data and whether any of it was accessible or transmitted when it should not have been.
To answer the question, “Do we know all the different ways the device can communicate?” the team built an automated solution to identify and classify radio wave emissions in our hardware testing lab. We paired this capability with our ability to reverse engineer firmware, during which the team discovered a default password for the Wi-Fi connection.
The OnDefend red team leveraged this finding and built a complete compromise exploit chain starting from that issue, linking together other weaknesses discovered during the firmware and hardware test to enable complete takeover of the device.
Real-World Example Four: What Happens When AI Becomes Part of the Attack Path
To evolve alongside market needs, our team at OnDefend has developed a robust capability around testing AI and LLM systems directly, as well as assessing their impact when embedded into an application. OnDefenders have helped customers explore trust and safety issues, often finding ways to bypass guardrails and safety mechanisms to incite the LLM to perform activity expressly against its Terms of Service.
In another example, an OnDefend pentester identified a flaw in a web application that could have allowed for a cross-site scripting attack but was unable to bypass the filtering of that parameter to directly exploit the condition. They did notice, however, that an LLM operated by that same organization was accessible and appeared to bypass some of the filtering mechanisms.
By crafting a specific prompt, they were able to have the LLM generate the XSS payload and return it to the target application, bypassing the security controls and successfully triggering the attack.
Controls Will Fail. Your Testing Shouldn’t.
The reality is, controls fail. Environments change. New vulnerabilities are introduced. What was secure yesterday may not be secure today.
OnDefend’s Continuous Security Testing program is built to go beyond the initial finding.
By combining an elite red team, intelligence, and AI-powered innovation and efficiencies thru BlindSPOT, the playing field against an adversary is now leveled.
