Where Coffee Meets Security

A personal security research platform featuring cutting-edge vulnerability research, custom security tools, educational videos, and timely security advisories. Fueled by coffee, driven by curiosity.

What does Coffee have to do with Security?

Coffee has always played a major role in the life of most security professionals. Whilst beer serves the purpose of socialising, a good coffee always provides a quick energy boost. It's the beverage of choice among most hackers and security professionals that assists with prolonged subversive work online.

I also believe that when it comes to good to great thinking it has always been powered by coffee. However, anything in excess is bad. Therefore, it is essential to regulate your coffee intake per day. While I coined the name, I thought of two key elements that are mutually inclusive and runs in our industry's DNA i.e. coffee and security.

Caffeine Powered

Research fueled by quality coffee

Security Focused

Breaking and securing systems since 1998

Open Research

Transparent methodologies

Responsible Disclosure

Ethical vulnerability reporting

Latest Events

Upcoming conferences & past speaking engagements

View All Events
Black Hat USA 2023 ArsenalTool ReleaseAug 2023

Daksh SCRA (Source Code Review Assist Tool)

Daksh SCRA (Source Code Review Assist Tool) is built to help reviewers work faster than grep-based pattern matching alone, structuring and semi-automating the early triage of large, unfamiliar codebases so a reviewer's time goes toward confirming and exploiting genuine findings rather than re-deriving them by hand. The tool first debuted a year earlier at the Black Hat USA 2022 "Source Code Review - Raise Your Bar Beyond Grep" training, where it was shared privately with attendees who completed the course. This appearance at Black Hat USA 2023 Arsenal was its first public release, making it available to the wider security community for the first time.

Black Hat USA 2022 TrainingTrainingAug 2022

Source Code Review (Raise your bar beyond Grep)

A hands-on Black Hat USA training for security professionals and code reviewers looking to move beyond simple grep-based pattern matching. The course covered manual and semi-automated source code review methodology across multiple languages and frameworks, along with the vulnerability classes that keyword searches routinely miss. It also worked through practical triage workflows for auditing large, unfamiliar codebases under real engagement time constraints. Attendees got an early, private look at Daksh SCRA, the source code review assist tool built to support the techniques taught in the course.

BSides Delaware 2021Conference TalkNov 2021

Software Security Engineering (Learnings from the past to fix the future) - Extended Version

This talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why we still continue to see two decades old bugs and recommendations to consider going ahead. This is a slightly extended version of the OWASP 20th Anniversary talk.

Exploit Demo Videos

All Videos

Proof-of-concept exploit demonstrations by Debasis Mohanty.

CVE-2007-565924 Oct 2008

Adobe Acrobat 'Collab.collectEmailInfo' Buffer Overflow (CVE-2007-5659)

This vulnerability was made public in Feb 2008. The exploit was written in Oct 2008 but could not be released due to IP agreement with the contractor. A demo video was released instead.

CVE-2007-560111 Apr 2008

RealPlayer ierpplug.dll ActiveX Control Buffer Overflow (CVE-2007-5601)

This vulnerability was made public in Oct 2007 with no publicly available exploit until 2008. The exploit was written in April 2008 but could not be released due to IP agreement. A demo video was released instead.

Point-in-time research, 2004 to 2008

Security Advisories

This is not a CVE leaderboard. It is a curated record of research published when the attack class, the target, or the technique was still considered niche, theoretical, or uninteresting by the broader industry. Each item is included for what it documented at the time, not for the size of its identifier.

Research doctrine

Target the doubt, not the score

Pick issues where the industry disputes the impact. XSS in 2004, PDF JavaScript in 2008, Office as a malware carrier in 2006. Prove the impact concretely before the industry consensus catches up to the finding.

Surface forgotten primitives

Old operating system mechanisms keep returning as attack vectors. DDE, COM interop, OLE embedding. Document them properly the first time so they are not rediscovered a decade later under a different name.

Challenge category-defining claims

When a product class markets a guarantee, personal firewalls, virtual keyboards, anti-piracy attestation, test the guarantee rather than the product. The shape of the bypass usually outlives the vendor that shipped it.

Publish for the learner, not the leaderboard

Every advisory is written so a researcher reading it years later still extracts a transferable pattern. The CVE identifier is only the receipt, the writeup itself is the artifact worth keeping.

Landmark research

Selected entries with outsized point-in-time impact
CriticalExploit Author
Nov 2008

Microsoft Windows Netapi32 Insecure Path Canonicalization Exploit

MS08-067
Why it mattered then

Released within days of MS08-067 going public, when no reliable independent exploit existed outside of vendor and a handful of closed circles. The same primitive later powered Conficker. At that moment the choice was: wait for someone else, or write it.

Research insight

Reliability beats novelty when the window of relevance is days. Studying the canonicalization primitive taught more about Windows path parsing than any of the dozens of follow-up writeups that came months later.

HighExploit Author
Nov 2008

Adobe Reader 'util.printf()' Function Buffer Overflow Exploit

CVE-2008-2992
Why it mattered then

Published when public Adobe Reader exploit code was almost non-existent. PDF was still considered a 'safe document format' by most enterprises. JavaScript-in-PDF was a niche even within client-side research.

Research insight

The interesting surface is rarely the parser, it is the embedded interpreter. JavaScript engines bolted onto document readers became the dominant client-side attack class for the next decade.

View full advisories archive