Introducing Ostorlab Source Code Scanning
Source Code Scanning helps you identify security vulnerabilities directly in your source code before they reach production. Connect your repositories, run scans on demand, and review actionable findings from within Ostorlab.
Tue 07 July 2026
App Vetting, Scan Coverage Heatmap, Mobile Shielding Scan, Deep Agentic Scan Improvements, Cyber Models & Source Code Scanning
This release introduces App Vetting, Scan Coverage Heatmap, Mobile Shielding Scan, Deep Agentic S...
Tue 07 July 2026
Deep Scan Improvements: Faster Execution, Better Decisions, and Incremental Testing
The latest Deep Agentic Scan release introduces faster mobile testing, improved reverse engineeri...
Tue 30 June 2026
Introducing Mobile Shielding That Can Resist AI Attacks
Ostorlab has launched Mobile Shielding Scan, an automated, AI-powered testing solution designed s...
Thu 25 June 2026
The App Was Never Opened
Agentic harnesses change what an LLM can do in mobile app security testing. On its own, a model can name likely risks such as insecure storage, exposed secrets, risky permissions, vulnerable SDKs, backend issues, and privacy exposure, but the app may remain untouched. With the right tools, context, memory, prompts, execution loops, and runtime feedback around it, the model can inspect the app package, observe behavior, follow traffic, connect signals, and leave behind evidence a security team can review. From permission analysis to JEF-powered native exploitation, the difference is visible in the trace: app evidence, tool output, runtime proof, and reproducible steps instead of report-shaped text.
Introducing Ostorlab Cyber Models
Ostorlab has launched Cyber Models, a managed, prepaid AI infrastructure tier for Deep Agentic Scans. It gives security teams streamlined access to specialized models like GPT-5.5 Cyber and Opus 4.8 with Cyber Verification Program through approved provider channels. This bypasses the need to manage external API keys, provider rate limits, or fragmented billing dashboards.
Latest posts
There Is No Magic Box: Why AI-Era AppSec Needs a Stack
Walk the floor of any major cybersecurity conference today and you will hear about the promise of autonomous AI-powered platforms. But AI-only testing doesn't scale. A resilient AppSec program requires a cost-aware, tiered stack combining rapid traditional scanners, private semantic reviews, and selective orchestration of frontier models.
Mon 22 June 2026
The Definitive Guide to Mobile App Vetting: Securing the Enterprise App Ecosystem
This comprehensive guide covers the architecture, risk methodologies, and deployment frameworks required to architect an enterprise mobile app vetting strategy that protects corporate data assets without creating operational friction.
Fri 19 June 2026
Introducing Ostorlab App Vetting for the Agentic Era
Ostorlab has launched App Vetting, a mobile application risk assessment solution that helps teams evaluate Android and iOS apps before approval. It combines static analysis, dynamic testing, and secure sandbox execution with continuous monitoring, weighted risk scoring, and agentic workflows to identify vulnerabilities, privacy risks, malware indicators, telemetry behavior, and trust issues while helping teams prioritize what matters most.
Tue 16 June 2026
Building an AI PR Reviewer Engineers Actually Trust
We built an AI-powered pull request reviewer, shut it down after hallucinations and false positives eroded developer trust, then rebuilt it with better models, broader context, and a more conservative agent architecture. This article shares what we learned about automated code review, why trust matters more than coverage, and how AI reviewers can help engineering teams reduce repetitive review work without replacing human judgment.
Mon 08 June 2026
Introducing Ostorlab’s Single Vulnerability Assessment and Dig Deeper
Ostorlab is launching a powerful, highly targeted AI orchestration engine accessible through two distinct UI workflows: Single Vulnerability Assessment (SVA) and Dig Deeper. While both features share the exact same underlying AI logic, capabilities, and "Bring-Your-Own-Key" structure, they are tailored for different entry points in your workflow. SVA is launched as a fresh, standalone scan for targeted, cost-efficient assessments, fix validations, or bug bounty verifications. Dig Deeper is triggered directly from an existing finding within a scan report to instantly investigate false positives or trace exploit paths. Together, they give teams surgical control over how they test and validate individual vulnerabilities.
Tue 02 June 2026
Single Vulnerability Assessment (SVA), Dig Deeper, Scan Report PDF Design Improvement & Multilanguage Support
This release introduces Single Vulnerability Assessment (SVA) for targeted validation, Dig Deeper for granular root-cause investigation, Live Attack Scenario Risk & Status Tracking, Scan Report PDF Design Improvement, full multilanguage localization, and new compliance whitelisting support.
Mon 01 June 2026
Exploit CVE-2026-42208: LiteLLM Unauthenticated SQL Injection via Bearer Token
A technical breakdown of CVE-2026-42208, a CVSS 9.3 critical unauthenticated SQL Injection vulnerability in the LiteLLM Proxy API. Improper parameterization of the Bearer token within raw SQL queries used for complex multi-table joins allows blind boolean-based timing attacks, enabling unauthenticated attackers to exfiltrate sensitive data including virtual API keys, user information, and LLM spend logs directly from the database.
Fri 22 May 2026
DirtyFrag: Universal Linux Local Privilege Escalation via Page-Cache Write
A technical breakdown of DirtyFrag, a pair of Linux kernel local privilege escalation vulnerabilities (CVE-2026-43284 and CVE-2026-43500, CVSS 7.8 HIGH) that allow any unprivileged local user to obtain root on most major Linux distributions. By chaining an xfrm-ESP and an RxRPC in-place decryption path flaw, both rooted in the same page-cache write primitive as Dirty Pipe and Copy Fail, the exploit overwrites read-only page cache pages without a race condition, achieving near-100% reliability.
Wed 13 May 2026