Research-Driven Cyber Security
A premium cybersecurity research and advisory firm specializing in offensive security operations, digital forensics and incident response, and advanced threat intelligence.
Offensive Security & Adversarial Operations
Hands-on offensive assessments built on real attacker techniques and practical research. We trace how intrusions actually unfold and expose the attack paths that matter.
Digital Forensics & Incident Response (DFIR)
Focused, methodical investigations that rebuild the full attack timeline. From memory forensics to reverse-engineering, we identify what happened and what needs to be fixed.
Threat Intelligence & Adversary Profiling
Intelligence centered on attacker behavior, infrastructure, and tooling. Clear, technical insights that show who is targeting you and how they operate.
Technical Security Advisory & Architecture Guidance
Long-term guidance backed by hands-on offensive and investigative experience. Architecture reviews, threat modeling, and practical support for engineering leadership.
Trusted By
Our Services
Premium cybersecurity research, offensive security operations, digital forensics, and threat intelligence - delivered with deep technical expertise and real-world adversarial perspective.
Offensive Security & Adversarial Operations
Hands-on offensive assessments built on real attacker techniques and practical research. We trace how intrusions actually unfold and expose the attack paths that matter.
Digital Forensics & Incident Response (DFIR)
Focused, methodical investigations that rebuild the full attack timeline. From memory forensics to reverse-engineering, we identify what happened and what needs to be fixed.
Threat Intelligence & Adversary Profiling
Intelligence centered on attacker behavior, infrastructure, and tooling. Clear, technical insights that show who is targeting you and how they operate.
Technical Security Advisory & Architecture Guidance
Long-term guidance backed by hands-on offensive and investigative experience. Architecture reviews, threat modeling, and practical support for engineering leadership.
Offensive Security & Adversarial Operations
Hands-on offensive assessments based on real attacker techniques and practical research. We map how intrusions actually occur - from initial foothold to full compromise - and uncover the attack paths that matter.
- Multi-stage intrusion simulations
- Vulnerability research and exploit development
- Red-team operations and detection-evasion testing
- Cloud, identity, and SaaS attack paths
- EDR/XDR bypass and stealth technique validation
DFIR - Digital Forensics & Incident Response
Methodical investigations that rebuild the full attack timeline and identify what needs to be secured. Our work combines forensics, reverse-engineering, and incident-response experience.
- Memory forensics and artifact extraction
- Host timeline reconstruction
- Malware reverse engineering
- Root-cause analysis with attacker mapping
- Containment and recovery guidance
Threat Intelligence & Adversary Profiling
Actionable intelligence focused on attacker behavior, infrastructure, and tooling. We help teams understand who is targeting them, how they operate, and how to prepare.
- Threat-actor profiling and TTP mapping
- IOC/IOA enrichment and correlation
- C2 and infrastructure investigation
- Technical intelligence reports
- Tracking of new and emerging threats
Technical Security Advisory & Architecture Guidance
Long-term, senior-level guidance for organizations that need deep technical security expertise. Recommendations are based on real offensive and defensive work.
- Architecture and design reviews
- Threat modeling (STRIDE, attack-path analysis)
- Secure development practices
- Ongoing technical advisory for engineering leadership
- Fractional CISO support
What We Bring
We deliver cybersecurity services grounded in practical experience - offensive research, adversarial simulations, forensics, and intelligence. The objective is direct: identify the weaknesses that matter and strengthen systems using real, technical insight.
Research & Publications
Books
Long-form research and technical books authored by Cipher Security Labs researchers.
MAoS - Malware Analysis on Steroids
Real-world malware analysis & reverse engineering. A comprehensive guide to modern malware analysis techniques.
Antivirus Bypass Techniques
Hands-on techniques and tactics for bypassing antivirus protection, written for security researchers and penetration testers.
Articles & Technical Papers
Selected articles, malware write-ups, and research notes published by our team.
Two Sides of the Same Coin: From Dissected Malware to EDR Evasion
Analysis of malware dissection techniques and their relationship to EDR evasion strategies.
Read on TrainSec AcademyCan Document Files Be Trusted?
Security analysis of document file formats and potential attack vectors.
Read on TrainSec AcademyReverse Engineering ARM-Based Mirai Botnet
Technical deep-dive into the ARM architecture implementation of the Mirai botnet.
Read on TrainSec AcademyRemote Thread Injection and Detection - Live Workshop
Live workshop covering remote thread injection techniques and defensive detection methods.
Read on TrainSec AcademyDissecting BlackByte Ransomware
Comprehensive analysis of BlackByte ransomware operations and technical implementation.
Read on TrainSec AcademyDebugging DLL Files with IDA Disassembler
Practical guide to debugging and analyzing DLL files using IDA Pro disassembler.
Read on TrainSec AcademyBack to the Future of the Cyber Landscape
Analysis of evolving cyber threats and future trends in the security landscape.
Read on TrainSec AcademyMuddyWater Initial Access Trojan
Technical investigation of the MuddyWater APT group's initial access trojan and attack methodology.
Read on TrainSec AcademyOne Electron to Rule Them All
Security analysis of Electron-based applications and potential exploitation vectors.
Read on TrainSec AcademyIntel Audio Driver - Unquoted Service Path Vulnerability
Discovery and analysis of an unquoted service path vulnerability in Intel audio drivers.
Read on TrainSec AcademyMSI TrueColor - Unquoted Service Path
Security research on unquoted service path vulnerability in MSI TrueColor software.
Read on TrainSec AcademyThe Malware Shlayer
Deep technical analysis of the Shlayer malware family and its distribution mechanisms.
Read on TrainSec AcademyMicrosoft WSLService - Unquoted Service Path Vulnerability
Research on unquoted service path vulnerability in Microsoft Windows Subsystem for Linux service.
Read on TrainSec AcademyDissecting Ardamax Keylogger
Comprehensive reverse engineering and analysis of the Ardamax keylogger malware.
Read on TrainSec AcademyFive Steps to Addressing Supply Chain Vulnerabilities
Strategic approach to identifying and mitigating supply chain security risks in automotive and critical infrastructure systems.
Read on Hakin9You Are Never Safe: How Hackers Bypass Antivirus
Interview and analysis of antivirus bypass techniques, exploring the dynamics behind security solutions and evasion methods.
Read on Cyber DucksHunting Process Injection by Windows API Calls
Comprehensive guide to detecting and analyzing process injection techniques through Windows API call monitoring and behavioral analysis.
Read on Exploit-DBHonors & Awards
Industry recognition and Hall of Fame acknowledgments for our security research.
About Us
Cipher Security Labs is a premium cybersecurity research and advisory firm specializing in advanced security analysis, adversarial testing, and high-end consulting. Built on deep technical expertise, rigorous methodology, and an uncompromising focus on precision, the firm delivers research-driven security work at a level typically reserved for elite internal teams.
Led by seasoned researchers Nir Yehoshua and Uriel Kosayev, Cipher Security Labs brings together more than twenty years of combined experience across vulnerability research, reverse engineering, malware analysis, penetration testing, and strategic cybersecurity advisory. Their background spans complex security challenges across a wide range of industries and technical environments.
All of our clients - regardless of size or sector - benefit from the same core approach: deep research, technical accuracy, and meticulous attention to detail.
Cipher Security Labs operates with a research-first mindset and a commitment to clarity, precision, and meaningful technical impact. Our work is grounded in expertise, designed to help organizations strengthen their security foundations through high-quality analysis and disciplined execution.
Contact Us
11715 Fox Rd Ste 400 PMB 4004
Indianapolis, IN 46236
United States
Tel Aviv, Israel
EDR Validation Platform
RefineSec validates EDR detection coverage through controlled execution on a single agent VM. The platform analyzes multiple EDRs simultaneously, providing structured results on adversary coverage, technique-level detection, and hardening recommendations.
The Problem
Organizations rely on EDRs without truly knowing what they detect. Coverage assumptions are often incorrect. Detection rules vary by vendor and configuration. Blind spots remain invisible until an incident occurs.
Security teams need visibility into detection gaps, multi-EDR performance differences, and prioritized remediation guidance. RefineSec addresses this gap.
How RefineSec Works
Deploy the RefineSec agent on a single VM with your EDRs installed. Paste your API key into the platform. The backend analyzes threat intelligence and selects relevant payload sets. The agent executes these techniques on the VM. All installed EDRs monitor the execution.
The platform collects detections from each EDR, normalizes the results, and sends structured data to the dashboard. You see adversary coverage, technique-level detection rates, execution timelines, multi-EDR correlations, and hardening recommendations.
Create a Campaign
Select threat actors from the library: LockBit, TA505, BlackCat, and others. Each actor is mapped to MITRE ATT&CK techniques used in actual operations.
Choose the TTPs and technique sets you want to validate. The backend selects payloads based on your selections and sends them to the agent VM. The platform handles execution, detection collection, and analysis.
Analysis & Visibility
RefineSec provides adversary coverage percentages across tested techniques. See detection scoring at the technique level. Compare performance across multiple EDR vendors. Understand which techniques were detected, blocked, or missed.
Multi-EDR correlation shows how different vendors respond to the same techniques. This helps identify vendor-specific strengths and gaps in your defensive stack.
Execution Timeline
The timeline view shows technique-by-technique execution flow. See when each technique ran, which EDRs detected it, and the sequence of events. This helps understand attack progression and detection timing.
Hardening & Improvement
RefineSec converts detection findings into a prioritized roadmap. See hardening scores, ransomware readiness assessments, and expected improvement metrics if you implement the recommendations.
Recommendations are tailored to your environment, EDR vendors, and the threat actors you tested. Each action is prioritized by impact on detection coverage.
Technique-Level Remediation
For each technique, see detailed remediation guidance. Understand which EDRs detected it, which blocked it, and what controls are missing. Review raw logs, rule matches, process trees, and EDR vendor responses.
Control-Level Deep Dive
Beyond technique-level guidance, RefineSec provides control-level remediation cards. Each card maps to specific MITRE ATT&CK techniques and shows expected threat reduction if the control is implemented.
Compliance frameworks such as ISO 27001, NIST CSF, CIS Controls, and MITRE D3FEND are mapped to each control. This provides a clear governance trail for security teams and auditors.
Evidence runs validate remediation. After implementing a control, the platform re-executes the same techniques that previously succeeded. If the environment now blocks those techniques, the evidence run confirms the improvement. This creates a measurable hardening lifecycle: identify gaps, implement controls, verify effectiveness, measure impact.
Use Cases
CISOs: Get executive-level visibility into EDR performance without technical deep dives. Understand detection coverage, identify gaps, and prioritize security investments based on measurable data.
SOC Managers: Validate that your EDR stack detects the techniques used by threat actors targeting your industry. Identify which EDRs perform best for specific attack patterns.
Detection Engineers: Understand why techniques are detected or missed. Review telemetry quality, rule matches, and process trees. Get detailed remediation guidance for each technique.
Red and Purple Teams: Validate EDR detection coverage before and after security improvements. Measure the impact of hardening efforts through evidence runs.
Value Summary
RefineSec provides:
- Clarity: Understand exactly what your EDRs detect and what they miss
- Confidence: Make security decisions based on measurable detection data
- Measurable Coverage: See adversary coverage percentages and technique-level detection rates
- Remediation Direction: Get prioritized, actionable guidance tied to specific controls and techniques
- Continuous Validation: Run evidence runs to verify that hardening efforts improve detection coverage