Engineering
The App Was Never Opened
Agentic harnesses change what an LLM can do in mobile app security testing. On its own, a model can name likely risks such as insecure storage, exposed secrets, risky permissions, vulnerable SDKs, backend issues, and privacy exposure, but the app may remain untouched. With the right tools, context, memory, prompts, execution loops, and runtime feedback around it, the model can inspect the app package, observe behavior, follow traffic, connect signals, and leave behind evidence a security team can review. From permission analysis to JEF-powered native exploitation, the difference is visible in the trace: app evidence, tool output, runtime proof, and reproducible steps instead of report-shaped text.
Thu 25 June 2026
Building an AI PR Reviewer Engineers Actually Trust
We built an AI-powered pull request reviewer, shut it down after hallucinations and false positiv...
Mon 08 June 2026
Threat Center v2: Staying Ahead of Vulnerabilities
The Threat Center provides essential updates for organizations to stay informed about security th...
Thu 10 October 2024
OXO Titan UI: Simplifying Security Scanning for Everyone
OXO Titan UI encapsulates OXO's capabilities within an accessible interface, democratizing advanc...
Mon 26 August 2024
🚀 OXO v1.0!
OXO version 1.0, is 10x times faster, supports ARM64 architectures, and is packed with improved capabilities like scanning multiple assets, simpler and powerful CLI.
Apple Privacy: A Comprehensive Guide to Privacy Manifest Files
This article offers a guide to Privacy Manifest files in Apple's ecosystem, stressing their importance for transparency and compliance, especially with the upcoming 2024 mandate, outlining steps for implementation, and underscoring their role in promoting user trust and adherence to regulations.
Latest posts
Enhancing PostMessage XSS Detection with Proxy Object Instrumentation
The article introduces a new method for detecting PostMessage Cross-Site Scripting (XSS) vulnerabilities using JavaScript Proxy objects, which enhances traditional dynamic fuzzing techniques.
Thu 04 April 2024
Swift Under the Microscope: Practical Dynamic Instrumentation
Article on Swift Dynamic Instrumentation. The article explains the steps to perform dynamic analysis of Swift-based application, covering name mangling, Swift ABI & extraction of function arguments in Swift.
Mon 11 March 2024
Strategies for writing super fast Python
In this article, we look at different ways to improve the performance of Python which is an interpreted language.
Tue 18 April 2023
Fix it! at Ostorlab
Ostorlab's Fix it! practice is one of our most successful engineering practices helping us eradicate bugs and kill technical debt.
Sun 19 February 2023
Tips and tricks for developing & debugging OXO Agents.
Tips and tricks to make your life easier when developing & debugging OXO Agents.
Thu 18 August 2022
Life of a Scan: how OXO's open-source vulnerability scanner works
This article talks about how OXO works under the hood.
Tue 02 August 2022
What I've learned from my first job as a Software Engineer at Ostorlab
This article talks about the experience of Rabson Phiri who works as a Software Engineer at Ostorlab.
Tue 19 April 2022
Detection Engine @ Ostorlab
Overview of the detection capabilities provided by Ostorlab
Fri 01 May 2020