Red Team As A Service

get hackedbefore the bad guys do

AI security agents that autonomously find, triage, and patch codebase vulnerabilities in hours.

Initial scan free for YC companies

LIVE

A live feed of the public disclosure log of security vulnerabilities autonomously discovered and patched by winfunc.

NGINXMediumCVE-2026-28755

Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)

Read Analysis

AnthropicCritical

Authentication bypass on FastMCP custom routes

Read Analysis

BunHigh

Exponential merge keys in Bun's YAML implementation leads to DoS

Read Analysis

SupabaseCritical

SQL Injection via queueName in getDatabaseQueuesMetrics

Read Analysis

GumroadCritical

0-click Account Takeover and Admin Operations via helper endpoint authorization bypass

Read Analysis

MattermostMediumCVE-2026-2455

SSRF bypass via IPv4-mapped IPv6 literals in IsReservedIP (CVE-2026-2455)

Read Analysis

MattermostMediumCVE-2026-25783

DoS via unchecked User-Agent token in getBrowserVersion (CVE-2026-25783)

Read Analysis

MattermostHighCVE-2026-24458

Unbounded PBKDF2 hashing allows remote login DoS via oversized passwords (CVE-2026-24458)

Read Analysis

MattermostCVE-2026-21386

Private Channel Enumeration via /mute Slash Command (CVE-2026-21386)

Read Analysis

Better-AuthMedium

Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

Read Analysis

End of transmission.

how does this work?

the winfunc procedure

Initiate Contact

Book a demo call to establish secure comms. We'll verify your authorization to audit.

Define The Target

Share your scope and repositories. Our agents map the attack surface instantly.

Vulnerabilities & Patches

Receive a comprehensive report. We provide the exploits and the fixes.

Frequently
asked questions.

The initial vulnerability scan is free for YC companies. This includes a comprehensive audit and initial findings report.

For ongoing protection, continuous monitoring, and automated patching tailored to your codebase and team requirements, book a call to get a quote.

ship secure code.

Secure your mission-critical systems with the first autonomous hacking agent that thinks deeper than any scanner.

get hackedbefore the bad guys do

stream accepts revoked client certificates despite ssl_ocsp on (CVE-2026-28755)

SCGI unbuffered mode sent truncated CONTENT_LENGTH causing backend desync

RSC reply decoder DoS via $K FormData amplification (CVE-2026-23864)

Permission model bypass via unchecked Unix Domain Socket connections (CVE-2026-21636)

Authentication bypass on FastMCP custom routes

Exponential merge keys in Bun's YAML implementation leads to DoS

SQL Injection via queueName in getDatabaseQueuesMetrics

0-click Account Takeover and Admin Operations via helper endpoint authorization bypass

SSRF bypass via IPv4-mapped IPv6 literals in IsReservedIP (CVE-2026-2455)

DoS via unchecked User-Agent token in getBrowserVersion (CVE-2026-25783)

Unbounded PBKDF2 hashing allows remote login DoS via oversized passwords (CVE-2026-24458)

Private Channel Enumeration via /mute Slash Command (CVE-2026-21386)

Multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

the winfunc procedure

Initiate Contact

Define The Target

Vulnerabilities & Patches

Frequentlyasked questions.

ship secure code.

Frequently
asked questions.