Jon Oberheide
@jonoberheide
Current: Board member & startup advisor. Past: Co-Founder & CTO at @duosec, PhD at @umich. Go Blue! 〽️
Congrats @ethanmgibbs and @imbobwei! 🎉 If you want to help define the future of AI-native embedded development (hardware, IoT, robotics, etc), get in touch with the @embedderdev crew: embedder.dev
Embedder (@embedderdev) is building the Cursor for embedded: upload data sheets, chat with agents, and generate production-level driver code in seconds. Congrats on the launch, @ethanmgibbs and @imbobwei! ycombinator.com/launches/Ny4-e…
What works better than Pomodoro to focus your mind? Renting a few H100 machines and seeing the cost for every minute you spend not on-task.
The next generational company in security: @Xbow Congrats to @oegerikus, @nicowaisman, and team on the HackerOne achievement, Series B funding, and all the progress to-date! The future of software security is 🤖.
XBOW has become the top hacker in the US on @Hacker0x01, outperforming every human participant. Alongside this milestone, we are announcing our $75M Series B with @apoorv03 of @altcap. As bad actors get more advanced and use AI to become more powerful, @XBOW is our answer. XBOW…
A misconfigured trial tenant and some overlooked design choices in OneLogin led to a serious compromise. Check out @n0pe_sled's blog post to see how he pivoted from trial access to extracting customer signing keys. ghst.ly/402XsWy
itshappening.gif /cc @Xbow
an ai system is the top hacker at h1 us leaderboard
I am old enough to remember when some people thought arresting one teenager in the UK was going to put a stop to scattered spider... The reality is that the tactics are easy enough that many can and will apply them as long as there is ample opportunity and reward to doing so.
So… who has not seen the news right? Scattered Spider is on a rampage by the looks of it. Lets use this thread to share everything you know and can find on scattered spider folks. Combine our strength in times like this is most important! Who is going to break the ice?
Oauth is the 2020's .rhosts. IYKYK.
=> "attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs."
Browser EDR might sound funny at first, but if you know where tech/threats are headed (like @ajaybateman and the @PushSecurity crew), you get why this is the future platform for identity security.
🚀 We’re thrilled to announce our $30M Series B led by @Redpoint, supercharging our mission to stop identity attacks 🚀 Check out the press release here: pushsecurity.com/news/push-secu…
No one knows vulnerability/exposure management like @hdmoore and the team over at @runZeroInc. And nobody (Crowdstrike, Axonius, Armis, etc) has the breadth/depth of asset coverage that they do. Check out the new Risk Findings capability if you haven't yet kicked the tires.
🚀 Are you ready for the new era of exposure management? 🚀 It's launch day. Time to see what you’ve been missing. Uncover your unknowns. Manage the unmanageable. Find elusive exposures. And finally take control of your total attack surface. More👉 runzero.com/blog/new-era-e…
Excited to share our market overview that we presented to our limited partners this week. Obviously an unusual time in the market for a bunch of different reasons and we tried to distill our current thinking into a few dozen slides. Hopefully interesting to people thinking about…
If you work really hard as a founder and dedicate a decade+ to your startup, you too can achieve the privilege of having a small table at a local thrift store dedicated to your company swag. 🙃

Open Titan. The world’s first open source security chip. (And it’s PQC ready as well). Amazing work from the Google infrastructure / cloud security engineering teams. opensource.googleblog.com/2025/02/fabric…
Awesome outcome for Ann Arbor-based @SafeSend_One and friends (and past Duo investors) at @LeadEdgeCapital! techcrunch.com/2025/01/02/tho…
o1 appears to easily identify the issue in this code. others have also noted it can correctly determine the input to crash crackaddr. i have also made small modifications of this code and crackaddr to try to trip it up. it still gets it right.
every time something like this is posted i wonder if i am missing something and i check again whether chatGPT can exploit bugs in simple code. it cannot. LLMs cant find bugs that depend on state, no matter how simple. it could not find the issue in this code let alone exploit it
Venture is no longer a monolithic asset class so the @benchmark vs @a16z comparison is kind of silly. But regardless, one must respect the consistency and dedication of Benchmark. The odometer reset in the latest "Benchmark 1" fund is further proof. nytimes.com/2024/12/13/tec…
XBOW starts with a source code review, and then it mounts an attack, referring back to the source code whenever it gets stuck. A nice interplay between static and dynamic analysis.
XBOW found a stored XSS vulnerability (CVE-2024-52597) in the migration functionality of 2FAuth by crafting a malicious SVG file with a Javascript payload! Our latest blog post, by @djurado9, gives the full details: xbow.com/blog/xbow-2fau…
excited to announce @sublime_sec has raised a $60M Series B led by @IVP @CNBC wrote about the news this morning: cnbc.com/2024/12/12/ema… @ianthiel and I are so grateful and humbled by the trust our customers and community have placed in us. we won't let you down