Steven Foerster
Architect, Leader, Security Researcher
I build security tools, take systems apart to understand them, and publish what I learn along the way.
Fifteen years of shipping platforms, breaking assumptions, and writing up both. This is where the experiments, field notes, and open-source work live.
stevenfoerster.com | bash
last login: today on tty1
sf : ~ $ whoami
steven // architect // leader // security researcher
sf : ~ $ ls ~/workbench
projects/ lab/ notes/ tutorials/ contact/
sf : ~ $ cat /experiments/current
[1] Vinsium workflow engine modules
[2] tiny FHE toy
[3] threat-model game
sf : ~ $ ls ~/fun-problems
sf : ~ $ ./build --curiosity-driven
[ok] shipped with one bug, two lessons, and a blog post
sf : ~ $ help
Try: `whoami`, `contribute`, `fortune`, `man sf`, `easter-egg --konami`
interactive mode: type `help`
Current Projects & Experiments
What I am building right now
The current mix of long-running projects, lab prototypes, and curiosity-driven side quests.
Project
Vinsium
Private AI infrastructure that runs entirely on your network. Zero-trust mesh networking, a local AI workflow engine, and enterprise identity — no cloud dependency.
Why I built it
I wanted organizations to run real AI workloads without sending sensitive data off-network.
Follow the buildOpen Source
Mistborn
Mistborn is the long-running project where most of my networking and platform opinions were forged by trial, error, and friendly bug reports.
Why I built it
I built it to protect real systems without demanding enterprise budgets.
Read the origin storyLab
Interactive security playgrounds
Prompt injection, memory corruption, threat modeling, and toy cryptography demos that run entirely in the browser.
Why I built it
I learn faster when I can poke the model and watch it fail in real time.
Try the labLearning In Public
Notes and build logs
Write-ups from experiments, dead ends, and sharp corners I wish someone had warned me about.
Why I built it
Writing is how I debug my own thinking.
Read notesLab highlights
Interactive security demos
Interactive demos built to make difficult concepts obvious through experimentation.
Tutorials
Hands-on guides
Step-by-step walkthroughs covering security research, exploit development, and systems engineering.
LLM Tokens, Context Windows, and the Attack Surface
Understand how large language models process text through tokenization, manage context windows, and where these mechanics create exploitable attack surface for red teamers.
WebMCP Attack Surfaces: When AI Agents Call Your Website
Build a web app that exposes tools to AI agents via WebMCP, then demonstrate four attack classes: tool poisoning, schema mismatch, response injection, and cross-tool exfiltration.
Container Escape: Namespace and Privilege Breakouts
Exploit four container escape techniques — privileged mounts, Docker socket abuse, namespace escapes, and cgroup release_agent — then harden against each one.
Training a ROP Gadget Classifier with XGBoost
Build a machine learning classifier that predicts whether a ROP gadget is useful for exploit chains, using features extracted from x64 disassembly and XGBoost.
Attack Surface Analysis of a Minimal Embedded Linux Image
Build a stripped embedded Linux image with Buildroot, then systematically audit it: open ports, exposed syscalls, suid binaries, kernel modules, and writable paths — then harden it and measure the difference.
Firmware Extraction and Reverse Engineering with Binwalk and Ghidra
Extract firmware from an IoT device update file, unpack the filesystem, identify interesting binaries, and reverse engineer them in Ghidra to find real vulnerabilities.
Cross-Compiling and Debugging with Buildroot, QEMU, and GDB
Set up a complete embedded Linux development environment: build a custom ARM image with Buildroot, boot it in QEMU, and remotely debug binaries with GDB — no hardware required.
Anomaly Detection on Linux Audit Logs with Isolation Forest
Build a lightweight anomaly detection pipeline that flags suspicious Linux sessions using auditd logs, feature engineering, and scikit-learn — no GPU required.
Build a Local RAG Pipeline with Ollama and ChromaDB
A hands-on guide to building a retrieval-augmented generation pipeline that runs entirely on your machine, using security advisories as the knowledge base.
Writing Your First Wazuh Custom Decoder and Rule
A step-by-step guide to writing custom Wazuh decoders and rules, from reading a raw syslog line to triggering an alert.
Recovering from a Pop!_OS Kernel Panic on System76
Step-by-step recovery for a Pop!_OS kernel panic after an interrupted update.
Windows Egghunter Exploitation
Use egghunter shellcode to locate and execute a larger payload when buffer space is limited.
Windows SEH Overflow Exploitation
Exploit Structured Exception Handler (SEH) overflows on Windows, bypassing SafeSEH protections to achieve code execution.
Windows Stack Buffer Overflow
Exploit a classic stack buffer overflow on Windows, from crash discovery to shellcode execution using Immunity Debugger and mona.py.
Remote Exploitation with Socket Reuse Shellcode
Exploit a remote x86 Linux service by leaking addresses to bypass PIE, splitting shellcode across discontinuous buffers, and reusing the existing socket to evade firewall rules.
Bypassing ASLR on x64 Linux
Defeat Address Space Layout Randomization by leveraging fixed addresses in the binary when PIE is disabled.
Bypassing NX with mprotect ROP Chains
Use Return-Oriented Programming to call mprotect() and make stack memory executable, then jump to shellcode on x64 Linux.
Bypassing NX with ROP on x64 Linux
Use Return-Oriented Programming to bypass NX protection on 64-bit Linux, chaining gadgets to call system() with /bin/sh.
ROP Gadget Hunting Toolkit: ropper, ROPgadget, and GDB-PEDA
A practical reference for finding, filtering, and verifying ROP gadgets using ropper, ROPgadget, and GDB-PEDA. Covers common workflows, advanced filtering, and chaining strategies.
Stack Buffer Overflow on x64 Linux
Exploit stack buffer overflows on 64-bit Linux systems, understanding the differences from x86 including register usage and address handling.
Return-to-libc Attack on x86
Bypass NX protection by returning to libc functions instead of executing shellcode on the stack. Learn to leak addresses and chain function calls.
Redirecting Execution to Hidden Functions
Learn how to exploit a basic stack buffer overflow to redirect execution to a hidden function in a SUID binary and gain elevated privileges.
Basic Stack Buffer Overflow on x86
A comprehensive guide to exploiting stack buffer overflows on 32-bit Linux systems, from vulnerability discovery to shellcode execution.
Linux Syscalls for Exploit Development
How Linux syscalls work at the instruction level — int 0x80 vs syscall, register setup, and the key syscalls used in shellcode and ROP chains.
The Stack: Memory Layout and Function Frames
How the stack works in x86 and x64 Linux — process memory layout, push and pop mechanics, function prologues and epilogues, and why buffer overflows can overwrite the return address.
x86 and x64 Registers and Calling Conventions
A practical guide to CPU registers, partial register access, flags, and how function arguments are passed on x86 and x64 Linux.
Arch Linux Installation Guide
A comprehensive guide to installing Arch Linux with full disk encryption, secure boot, and hardened security configuration.
For builders
Starter reads from the notebook
Good starting points if you like systems thinking, zero-trust design, and honest engineering trade-offs.
What Linux vs. Hurd Teaches Us About Leadership, Engineering, and Life
A long-form reflection on why Linux won and what that teaches about leadership, engineering, and product momentum. Practical lessons for builders who ship, iterate, and grow communities.
Read note10 Custom Wazuh Rules Every SOC Should Deploy
A curated set of custom Wazuh decoders and rules for the detections that built-in rules miss — with MITRE mappings and ready-to-deploy XML.
Read notePrivate AI in Your SOC: How to Run LLMs Locally
Operating LLMs locally can help analysts summarize and triage sensitive telemetry without shipping data to third-party services.
Read noteWhy is it so slow? Troubleshooting DNS, SSH
A practical workflow for isolating slow SSH sessions by separating DNS, TCP, and authentication latency.
Read noteCVE-2024-3094: The xz/liblzma Backdoor
How a multi-year social engineering campaign embedded a backdoor in xz Utils that hijacked OpenSSH authentication on Linux systems.
Read noteWhen Your Kernel Panics but You Don't: Lessons from a Linux Recovery
A kernel panic recovery story and the engineering mindset that makes Linux failures fixable.
Read noteSecurity Spotlight
Recently exploited vulnerabilities
I track this list because active exploitation tells you more about real-world risk than any CVSS score — these are the threats defenders are actually patching right now.
Cisco · SD-WAN
Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
Added Feb 25, 2026
View detailsCisco · Catalyst SD-WAN Controller and Manager
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Added Feb 25, 2026
View detailsSoliton Systems K.K · FileZen
Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.
Added Feb 24, 2026
View detailsLatest notes