Defensive Results.
Research-driven cybersecurity firm delivering offensive and defensive security services grounded in real-world vulnerability research, responsible disclosure, and MITRE ATT&CK alignment.
About Us
Offset Security delivers expert offensive and defensive security services grounded in real-world vulnerability research and responsible disclosure. We combine hands-on offensive expertise with enterprise-grade defensive operations.
Research-Led
Services grounded in original vulnerability research, not checklist assessments.
CVE-Credited
Vulnerabilities disclosed in Google Chrome, Microsoft Edge, Samsung Internet.
Full Spectrum
Single partner across red teaming, malware analysis, SOC design, and compliance.
Sazzad Mahmud Tomal
Founder & Lead Security Researcher
CVE-credited vulnerability researcher with a proven track record discovering and responsibly disclosing security flaws in products by Microsoft, Google, and Samsung. Pursuing postgraduate research at Asia Pacific University of Technology & Innovation with a focus on AI-driven cybersecurity.
Core Services
Penetration Testing
Comprehensive assessments across web, mobile, network, APIs, and cloud. Manual testing combined with expert review — not just automated scans.
Red Team Operations
Full-scope adversary simulation using MITRE ATT&CK TTPs — including social engineering, physical intrusion, and lateral movement.
Vulnerability Research
Deep technical research into software, browsers, and firmware to discover zero-day vulnerabilities. Responsible disclosure coordinated with vendors.
Source Code Security Audit
Systematic review of application source code identifying security flaws, insecure patterns, and injection points across Python, JS, C/C++, PHP, and Java.
Browser & Application Research
Specialized research targeting browser engines, address bar spoofing, cross-origin bypasses, and renderer-level vulnerabilities in Chromium, Edge, and more.
Bug Bounty Management
End-to-end management of your bug bounty program — scope definition, triage, researcher engagement, and remediation tracking.
SOC Design & Implementation
Architecture and operationalization of Security Operations Centers with detection engineering pipelines, triage workflows, and runbooks.
Incident Response & Forensics
Rapid-response following NIST SP 800-61, with memory analysis, disk forensics, network traffic analysis, and court-admissible documentation.
Malware Analysis & Reverse Engineering
Static and dynamic binary analysis with MITRE ATT&CK-mapped behavioral reports, YARA rules, and IOC packages for your SIEM.
SIEM Deployment & Optimization
End-to-end SIEM deployment tuned to reduce false positives and surface genuine threats from day one.
Threat Intelligence & Hunting
Proactive identification of threats using hypothesis-driven hunting and curated OSINT, dark web monitoring, and industry-specific feeds.
Security Architecture Review
Holistic evaluation of IT and security architecture against zero-trust principles with a prioritized transformation roadmap.
Risk Assessment & Gap Analysis
Structured assessments mapping your posture against NIST CSF, ISO 27001, and CIS Controls with executive-level reporting.
Security Policy & Governance
Comprehensive policy suites covering incident response, data classification, access control, and vendor risk management — audit-ready.
Compliance Consultation
Expert guidance on ISO 27001, PCI-DSS, NIST 800-53, SOC 2, GDPR — pre-audit readiness through ongoing compliance monitoring.
Corporate Cybersecurity Training
Customized programs from executive phishing awareness to advanced hands-on engineering labs, with measurable outcomes.
Secure Coding Workshops
Developer-focused training on secure design patterns, OWASP Top 10 defenses, and integrating security into CI/CD pipelines.
IT Infrastructure & Solutions
Secure infrastructure design, cloud security hardening across AWS/Azure/GCP, and network design for enterprise environments.
IT Consulting for SMEs
Pragmatic security programs for small and medium enterprises — enterprise-grade security within realistic budgets.
Methodology
Every engagement follows a lifecycle aligned with MITRE ATT&CK and industry-standard frameworks — from discovery to hardening.
Discover
Threat landscape assessment, attack surface mapping, scope definition.
Assess
Penetration testing, code audits, threat modeling with real-world TTPs.
Report
Risk-rated findings, PoC demos, executive summary, remediation plan.
Harden
Remediation support, fix verification, architecture improvements.
Security Research
8 credited CVEs across Microsoft, Google, and Samsung — proof that our team thinks at the same level as the world's most complex attack surfaces.
CVE Registry
| Year | CVE ID | Product | Type |
|---|---|---|---|
| 2025 | CVE-2025-21262 | Microsoft Edge | Spoofing CWE-451 |
| 2024 | CVE-2024-49041 | Microsoft Edge | Spoofing CWE-449 |
| 2024 | CVE-2024-49054 | Microsoft Edge | CWE-357 |
| 2024 | CVE-2024-7004 | Chrome Safe Browsing | Input Validation |
| 2024 | CVE-2024-30055 | Microsoft Edge | Spoofing |
| 2024 | CVE-2024-20829 | Samsung Mobile | SVE-2023-0472 |
| 2023 | CVE-2023-36559 | Microsoft Edge | Spoofing |
| 2023 | CVE-2023-29334 | Microsoft Edge | Spoofing |
Hall of Fame
2025
Gen Digital (Avast)
P1 Critical — Android Avast Secure Browser. Bugcrowd induction.
Q2 2025
Yandex
Hall of Fame for browser vulnerability discovery.
2025
F-Secure
Deep links vulnerability in Safe Browser.
Sep 2024
Yandex
HoF induction for Yandex Browser security bug.
Mar 2024
Yandex
Second HoF recognition for security contributions.
Sep 2023
Yandex
HoF induction for Yandex Mail vulnerability.
Clients
From national law enforcement to global security platforms — our clients trust us with their most sensitive security challenges.
Hack The Box
Collaborative partner on their global security platform.
Bangladesh Police
Cybersecurity consulting and technical support for national law enforcement.
Two Bangladeshi Banks
Ransomware incident investigations under strict confidentiality.
VIT-AP University
Full security review for a leading Indian educational institution.
BI24
Comprehensive security assessment and strategic consulting.
SISL
IT and cybersecurity consulting; authorized Mitsubishi FA distributor in Bangladesh.
Industries Served
Why Choose Us
We don't just run scans — we think like attackers and build like defenders. Every engagement is backed by real research, not templates.
Proven Expertise
Real vulnerabilities discovered in global products used by billions — Microsoft Edge, Google Chrome, Samsung Internet. Our research record speaks for itself.
Fast Response
Rapid deployment for ransomware incidents and active breaches. When you're under attack, minutes matter — we're built for rapid engagement.
Business-Focused Reporting
Technical findings translated into clear executive action plans. Risk-prioritized remediation so your leadership understands the exposure — not just the exploit.
Strict Confidentiality
Absolute discretion for sensitive investigations. We've handled ransomware cases for financial institutions — confidentiality is not optional for us, it's foundational.
Partner with Offset Security for research-driven cybersecurity
tailored to your threat landscape.