nullptr.security :: tmux 0:adversarial-ops _□×

root@nullptr:~/2026$ ./greet --client=enterprise --no-bullshit

WE BREAK
THINGS
BEFORE THEY DO.

Nullptr Security is a forty-person offensive security boutique in Berlin and Tallinn. We build red-team programs for fintechs, hospitals, and the kind of infrastructure you don't want on the news. We have never failed an engagement.

whoami --since 2019

> Founded by ex-NCSC and Project Zero engineers, May 2019.
> 287 engagements completed across 14 countries.
> Zero customer breaches occurring on engagements we ran the prior 12 months.
> 1,412 zero-days reported, of which 218 cited under our handle.

cat /etc/services.conf | head

[red-team] → continuous adversarial simulation against your live stack.
[purple-team] → joint engagements with your blue team to harden detection.
[appsec] → source-level review + active fuzzing on your highest-risk surfaces.
[ir-retainer]→ on-call response, 30-minute SLA, anywhere on the planet.

Currently accepting 3 new engagements for Q3 2026. 17 spots remain on the IR retainer roster. Last incident response: 4 hours ago, ongoing.

request brief → + download capabilities deck

OPS_NORMALSOC2_TYPE_IICREST_REGISTERED40 ENGINEERSBERLIN · TALLINN · REMOTE

// active engagements

across 9 countries

// 0-days reported (lifetime)

1,412

218 cited under our handle

// avg. time to first finding

42m

across last 50 engagements

// engagements without findings

since founding · 287 of 287

Recent Disclosures

Public CVEs filed by our team in the last 90 days

CVE	Affected	Class	Severity	Status
2026-21847	Cisco AnyConnect Mac < 5.1.4	Local privilege escalation	CRITICAL	patched · vendor
2026-19402	OpenSSL 3.4.x	Memory disclosure (TLS handshake)	HIGH	patched · upstream
2026-18215	Microsoft Exchange (on-prem)	Auth bypass via deserialization	CRITICAL	workaround issued
2026-17034	Veeam Backup & Replication 12.x	Remote code execution (unauth)	CRITICAL	patched · v12.4.1
2026-15983	F5 BIG-IP TMUI	Authenticated RCE chain	HIGH	embargoed · disclosure 2026-05-12
2026-14118	Nginx Plus dynamic modules	Heap overflow on header parse	MEDIUM	patched · upstream
2026-13002	Sonatype Nexus 3.x	SSRF → metadata service exposure	HIGH	patched · vendor

The Services

Four engagement classes · all bespoke · no checkbox audits

Continuous Red Team

A four-person crew operates against your live infrastructure for a fixed quarter. We pivot, persist, and exfiltrate exactly as a real adversary would.

4 ops · 90 days
Slack channel + weekly war-room
Final report & replay video
One free re-test at +90 days

FROM €68kbrief us →

Purple Joint Ops

We attack alongside your blue team in real time. Each technique is paired with a detection & response playbook your engineers help write.

2 weeks on-site or remote
20+ ATT&CK techniques
Detection rules in your SIEM
Tabletop wrap-up with execs

FROM €34kbrief us →

Application Security

Source review + active fuzzing on the surfaces your auditors won't look at. Every issue comes with reproduction steps and a working patch.

Source + binary + protocol
Custom harnesses
Patch PRs included
Closeout with your CTO

FROM €22kbrief us →

Engagement.flow()

From brief to debrief, typically 11 weeks

[ T-0 · DAY 0 ]

Initial Brief

30-minute encrypted call. Scope, crown jewels, blue-team posture, escalation paths. NDA at this point only if required.

[ T+5 · DAY 5 ]

Rules of Engagement Signed

Targets, exclusions, escalation contacts, legal counsel CC'd. We do not begin until this is finalised.

[ T+14 · DAY 14 ]

Recon & Initial Access

External enumeration, OSINT pivots, first foothold. We typically achieve initial access between day 4 and day 11.

[ T+45 · DAY 45 ]

Mid-engagement Sync

Findings to date, attack paths in progress, blue-team detections (or absence of). Adjust scope if needed.

[ T+75 · DAY 75 ]

Debrief & Replay

Live walkthrough of every chain, with your engineers in the room. Patches and detection rules handed over in writing.

[ T+165 · DAY 165 ]

Free Re-test

One re-test at +90 days post-debrief, included. We verify your fixes hold against the same adversarial pressure.

Trusted by

A subset · most clients are confidential under NDA

N26

Klarna

Wise

Bolt

SoundCloud

Charité

Helsana

Skyscanner

DeepL

Trade Rep.

Statkraft

+ 41 NDA

root@nullptr:~/engage$ ./request_brief --new

YOU BUILD IT.
WE'LL BREAK IT.

// Tell us about your stack and your worst-case scenario. We respond to every brief within 24 hours, in person, never via a portal.

███╗ ██╗██╗ ██╗██╗ ██╗ ██████╗ ████████╗██████╗ ████╗ ██║██║ ██║██║ ██║ ██╔══██╗╚══██╔══╝██╔══██╗ ██╔██╗ ██║██║ ██║██║ ██║ ██████╔╝ ██║ ██████╔╝ ██║╚██╗██║██║ ██║██║ ██║ ██╔═══╝ ██║ ██╔══██╗ ██║ ╚████║╚██████╔╝███████╗███████╗██║ ██║ ██║ ██║ ╚═╝ ╚═══╝ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ .security

WE BREAKTHINGSBEFORE THEY DO.