James Forshaw
● ACTIVE
tiraniddo.dev + googleprojectzero.blogspot.com
Project Zero’s Windows internals specialist. Still posting deep-dives into COM/DCOM, sandbox escapes, Windows logical EoP, and tooling (OleView.NET). Wrote the Windows Security Internals book (2024). His sandbox-attacksurface-analysis-tools repo is essential for anyone auditing Windows.
Synacktiv Team
● ACTIVE
HOT
synacktiv.com/publications
French offensive security firm with one of the best public research feeds going right now. Pwn2Own regulars — VMware escape, router 0-days, iOS bugs. Recent posts cover NTLM reflection revival (CVE-2025-33073), heap exploitation on Windows 11 LFH, and ICS pen-test findings. Prolific and rigorous.
Gynvael Coldwind
● ACTIVE
gynvael.coldwind.pl
Google security engineer, Dragon Sector CTF. Still streams security challenges live on YouTube and posts writeups. Covers a rare range — parsing bugs, network protocol edge cases, Python internals — with a rigorous, near-academic clarity you won’t find many places.
lcamtuf — Michal Zalewski
◌ ARCHIVE
lcamtuf.coredump.cx / lcamtuf.substack.com
Created AFL, wrote The Tangled Web. Now at a16z, no longer actively posting security research — but the old writing fundamentally rewires how you think about bug classes and tooling design. His Substack occasionally covers adjacent tech thinking. Read the archives first.
Joe FitzPatrick
◌ ARCHIVE
vividmachines.com / securinghardware.com
Hardware security researcher and educator — JTAG exploitation, supply chain attacks, implant design. Blog updates are sparse now but the training material and older posts are still the best entry point into hardware offensive security. Worth the dive given any fintech/embedded surface exposure.