CRIT CVE-2025-31324 · SAP NetWeaver RCE · observed in wild HIGH CVE-2025-29824 · Windows CLFS privilege escalation CRIT Citrix NetScaler — auth bypass · 11k exposed MED Cisco ASA · memory disclosure HIGH Ivanti CSA · path traversal CRIT FortiGate · stack overflow in sslvpnd FEED · cisa.kev · loading… CRIT CVE-2025-31324 · SAP NetWeaver RCE · observed in wild HIGH CVE-2025-29824 · Windows CLFS privilege escalation CRIT Citrix NetScaler — auth bypass · 11k exposed MED Cisco ASA · memory disclosure HIGH Ivanti CSA · path traversal CRIT FortiGate · stack overflow in sslvpnd FEED · cisa.kev · loading…
Adversarial security Advisory depth HAX platform

See your business the way attackers do.

XContent RED runs scoped red team engagements, builds board-grade GRC programmes, and operates HAX — the AI-powered reconnaissance platform we use on real adversaries. Outputs read in the boardroom and ship as pull requests.

Book a discovery call See HAX in action
100+
Engagements
12
Sectors
15+
Years
hax://recon — session xcr-7f2a19
live
§ 01 · What we do

Six lines. One mandate.

Every XCR engagement serves a single outcome: measurably reduce real-world cyber risk. Tactical, strategic, technical, executive — whatever the engagement requires.

§ 02 · Our platform

We don't just consult. We build.

HAX is the AI-powered security reconnaissance platform we use in our own engagements — attack surface, dark web, and AI-prioritised remediation in one pane. We've made it available to your team.

hax://recon · multi-tenant · sample-acme
streaming
hax@xcr:~$ hax surface --tenant acme --watch
attack surface delta (last 24h)
+ api-staging-v2.acme.co · appeared 03:14 UTC
+ 203.0.113.44:3389 · rdp · newly exposed
! TLS cert on vpn.acme.co expires in 6 days
dark web sweep
! 14 credential pairs posted on leakbase.cx
! mention of "acme treasury" on ransomware leak blog
hax@xcr:~$ hax ai-prio --context tenant --limit 3
P1 · rdp on 203.0.113.44 — remove or gate behind ZTNA
P1 · rotate 14 leaked creds, force MFA re-enrol
P2 · replace vpn.acme.co cert before expiry
hax@xcr:~$

attack-surface › acme-group

⌘K search assets, cves, tenants…
Critical
7
+2 · 24h
High
12
+1 · 24h
Assets
1,842
+14 discovered
MTTR
6.2d
–1.4d · 30d
SEV
FINDING
ASSET
OBSERVED
ACTION
CRIT
CVE-2023-3519 · Citrix unauth RCE · /p/u/doAuth
admin.acme
14 min ago
patch →
CRIT
Exposed RDP on 203.0.113.44 · port 3389
203.0.113.44
2h ago
isolate →
HIGH
Jenkins anonymous build access · /jenkins/job/deploy
ci.acme
6h ago
gate →
HIGH
O365 OAuth consent grant — unusual scope
tenant:acme
9h ago
revoke →
MED
TLS certificate expiring in 6 days
vpn.acme.co
1d ago
rotate →
LOW
SPF record permissive · +all
acme.co
2d ago
harden →
attack path · acme-financial
· corp.acme → citrix → CVE-2023-3519 → shell · vpn-gw → jenkins → rdp-03 → darkweb/forum · 12 nodes · 12 edges · 3 critical paths
3 critical paths to crown jewels
critical asset external
global threat surface · multi-tenant live
tenants 42 assets observed 58,214 active alerts 139 updated 00:00:08 ago
hax.xcontent.red · multi-tenant for MSPs & enterprises
Explore HAX Request a demo
§ 03 · How we work

Four phases. Every engagement.

Every engagement begins with your business — crown jewels, regulatory posture, threat model, controls in place — and ends with measurable change.

PHASE · 01

Discover

We start with your business, not a toolset. Crown jewels, regulatory posture, current threat model, control state. What would actually hurt if it went missing at 02:00 on a Sunday.

PHASE · 02

Adversarial test

We probe with HAX and human red team craft — replicating the techniques actually being used against organisations like yours. Not a compliance checkbox. A real pressure test.

PHASE · 03

Translate

Findings are written for two audiences in parallel: engineers who must remediate, and executives who must allocate. Both reports come from the same engagement. Neither is an afterthought.

PHASE · 04

Stay close

Most engagements continue as a quarterly cadence — re-test, re-brief, evolve the threat model as your business and the adversary do. Security is a posture, not a project.

§ 04 · Where we work

Sectors we operate in.

XCR's engagement experience spans regulated and competitive industries — South Africa, the broader African continent, and international clients via XContent's global footprint.

01Financial Services
02Insurance
03Healthcare
04Public Sector
05Telecommunications
06Logistics & Supply
07Retail & E-commerce
08Energy & Utilities
09SaaS & Technology
10Legal & Professional
11Education
12Mining & Industrial
observed adversary activity · 72h live
origins 38 targets (anonymised) 214 ransomware ops tracked 23
§ 05 · Proof

Who we work for. What we hold.

Selected clients and the practitioner credentials held across the XCR team. Individual engagements remain confidential; credentials do not.

▌ Selected clients
▌ Team credentials

Every technical engagement is led by a practitioner holding at least one offensive-security or governance certification. Many hold several.

CEH MASTER
EC-Council Master — CEH + Practical Combined
CHFI
EC-Council Computer Hacking Forensic Investigator
SC-200
Microsoft Security Operations Analyst
ISC2 CC
(ISC)² Certified in Cybersecurity
UCT BSA
UCT — Business Systems Analysis
UCT DPP
UCT — Data Privacy & Protection (POPIA / GDPR)
§ 06 · Contact

Let's talk about what's exposed.

A 30-minute discovery call. We'll discuss your current posture, the threats relevant to your sector, and whether there's a fit for a deeper engagement. No slides. No NDA required.

▌ Open channels
Book a call
PGP on request · typical response < 4h (business hours SAST)
Urgent IR? Call our retainer line.