SecurinZero Days
    Email Us
    Zero-day research/Methodology

    The methodbehindevery advisory.

    This page documents how Securin’s zero-day research operation works — the two phases, the seven stages, what gets filtered and why, and the disclosure standards that govern every finding. Every advisory in the public index moved through this process.

    01/TWO PHASES, ONE PIPELINE

    Discovery.
    Then validation.

    The research pipeline splits into two intellectually distinct phases. They are not sequential steps — they are different kinds of work, done by different tools and different people.

    Phase 1 · AI-augmented

    Discovery

    AI models — orchestrated through Securin’s purpose-built skills and workflows — map the attack surface at scale. The goal of this phase is coverage: surfacing as many candidate vulnerability regions as possible across the target scope.

    Frontier models (Claude, GPT) orchestrated through specialised workflows
    Automated penetration testing widens attack surface coverage
    Vulnerability intelligence focuses targeting on exploitable classes
    Output: a ranked list of candidate regions for human review
    Phase 2 · Human-directed

    Validation

    Every candidate from Phase 1 is reviewed by a Securin practitioner. The goal of this phase is precision: confirming real-world exploitability and eliminating everything that doesn’t meet the publication standard.

    Practitioner triage against a decade of offensive tradecraft
    False positives, theoretical issues, and hallucinated findings are dropped
    Confirmed candidates reduced to deterministic, working exploits
    Output: verified findings with working PoC — nothing else
    02/THE SEVEN-STAGE PIPELINE

    Every stage.
    Every finding.

    No finding is published without passing through all seven stages. Each has a defined gate — no stage advances on model output or practitioner judgement alone without the other.

    01
    Discovery
    Scope & Authorise
    Engagement is scoped with the client or defined internally for the program. Rules of engagement, authorisation boundaries, and target parameters are established and documented before any testing begins. Nothing runs without a defined scope.
    Gate: written authorisation
    02
    Discovery
    Intelligence-Led Targeting
    Securin’s vulnerability intelligence platform — tracking 240,000+ CVEs — prioritises the assets, technologies, and attack surfaces most likely to yield exploitable, high-impact flaws. Effort is focused before testing begins, not after.
    Gate: VI-ranked target list
    03
    Discovery
    AI-Augmented Recon
    Frontier models are orchestrated through Securin’s purpose-built skills and workflows — combined with automated penetration testing — to map the attack surface at scale. The models surface candidate vulnerability regions; they do not validate them.
    Gate: ranked candidate list
    04
    Validation
    Expert Triage
    Every candidate is reviewed by a Securin practitioner against a decade of offensive tradecraft. False positives, theoretical issues, and hallucinated findings are discarded here. Only candidates with a credible exploit path proceed.
    Gate: practitioner sign-off
    05
    Validation
    Exploit Development
    Confirmed candidates are turned into working, tested exploits through iterative validation and debugging. The exploit must be deterministic — same preconditions, same outcome, every time. Partial logic and pseudo-code do not qualify.
    Gate: deterministic PoC
    06
    Validation
    Lab Reproduction
    Each validated zero-day is reproduced in a controlled lab environment with a full environment specification and step-by-step instructions. The lab reproduction is what gets delivered to the client and to the vendor — it is independently verifiable before any public disclosure.
    Gate: independent reproducibility
    07
    Validation
    Remediation & Reporting
    Findings are delivered with concrete, actionable remediation — fixed code diff, patch guidance, and risk-based prioritisation enriched by vulnerability intelligence. The final artifact includes root-cause analysis, impact matrix, trigger conditions, and a full remediation runbook.
    Gate: remediation verified
    03/WHAT GETS DROPPED

    The filter is
    the standard.

    Three categories of output are discarded at triage — before they reach exploit development. This is where the difference between AI-assisted research and a model running alone is most visible.

    Dropped
    False positives
    Model output that identifies a code pattern as suspicious but where no exploitable condition exists under real-world constraints. Common in AI-only pipelines — Securin practitioners review every candidate against known exploit patterns before any further work.
    Dropped
    Theoretical findings
    Vulnerability candidates where the attack path is plausible in theory but cannot be demonstrated under real preconditions. If it cannot be triggered deterministically, it does not move forward. Theoretical findings inflate severity without adding actionable risk intelligence.
    Dropped
    Hallucinated findings
    Model-generated output that describes a vulnerability in a code path that does not exist, references an API that behaves differently than described, or constructs an exploit chain that cannot be executed. These are an inherent output of frontier models operating without practitioner oversight.
    04/DISCLOSURE STANDARDS

    Coordinated.
    Every time.

    Every finding is disclosed under a structured, documented process aligned to ISO/IEC 29147 and 30111. No finding is published without vendor notification and a coordinated patch window.

    CNA authority
    Securin is a CISA-sponsored CVE Numbering Authority and EU GCVE Numbering Authority. CVE and GCVE IDs are assigned by Securin directly — no middlemen, no delays. Vendors respond differently when the report arrives with CNA authority and a working exploit already attached.
    Disclosure window
    90 days from vendor notification to public disclosure. Extensions are granted only when active remediation is in flight and documented. Extensions are logged publicly in the advisory. Vendors who do not respond within 90 days are published regardless.
    Standards alignment
    Coordinated vulnerability disclosure process aligned to ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling). CISA KEV contributor — active exploitation findings are reported to the KEV programme directly.
    Researcher credit
    Independent researchers who coordinate findings through Securin retain full authorship and public credit in the advisory. Embargo terms are honoured for every accepted submission. Securin does not claim findings it did not discover.
    The 90-day window

    What happens between discovery and publication.

    The 90-day window is not a deadline — it is a structured coordination process with defined steps and documented exceptions.

    D+0
    Vendor receives the full report, working exploit, and proposed CVSS under embargo. CVE / GCVE ID assigned by Securin CNA.
    D+7
    Vendor acknowledgement expected. If no response by D+14, Securin escalates through secondary contacts and logs the non-response.
    D+30
    Interim check-in. Patch status reviewed. Extension considered only if active development is documented and a target date is provided.
    D+60
    Patch verification begins. Securin tests the vendor’s fix against the original exploit to confirm the remediation is complete before the embargo closes.
    D+90
    Public advisory published on the agreed date. Root-cause analysis, impact matrix, fixed code diff, and remediation runbook released in full.
    CNA · GNA
    CVE & GCVE Numbering AuthorityCISA-sponsored CNA · EU GCVE GNA
    ISO
    Disclosure ProcessISO/IEC 29147 & 30111 aligned
    KEV
    CISA KEV ContributorActive exploitation reporting
    ∞
    Vulnerability IntelligenceVI Platform · 240k+ CVEs tracked

    Every advisory published by Securin moved through this process — from scoped target to signed public record. Browse the full index or coordinate a finding through the CNA & GNA program.

    Browse the advisory index Coordinate a finding
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum