Brutecat Security
Book an engagement

We hunt thebugs that youraudits miss.

siege is our in-house AI harness — #16 on Google's Hall of Fame, including two RCEs in Google Cloud production (Borg).[1][2] A senior researcher drives every engagement.

Book an engagementRead the blog →
AS FEATURED IN
§ 01 — WORKFLOW

The hunt, in 3 stages.

siege runs at the scale of a full red team. It chains small primitives together into end-to-end exploits — the kind a regular AI scanner would never find, ones that Google's own security team missed.

  1. i.

    Scan.

    Blackboxsiege attacks your production from the outside. Every request and response is captured.

    Whiteboxsiege reads every source file from the inside.

  2. ii.

    Auto-triage.

    Every lead validated before a human sees it against a running dockerized/sandboxed copy of your service. Hallucinations dropped, severity corrected, PoC attached.

  3. iii.

    Human verification.

    A human researcher reproduces each exploit, confirms impact, and writes the report.

siege.brutecat.internal / leads
§ 02 — PUBLIC DISCLOSURES

siege, on the record.

siege has pulled in $500k+ in bounties, a #16 slot in Google's Hall of Fame, and high/critical vulnerabilities across widely deployed open-source software.

FLAGSHIP · siege

Two RCEs in Google Cloud production (Borg).[1][2]

siegelanded two separate RCEs inside Borg — the cluster manager that runs Google's production.

Rewarded $135,000 ($60k + $75k) under Compromise of Google Cloud Production Environment.

  • #16all-time · Google Hall of Fame
  • $500k+paid in Google bounties
  • 2025Google Year in Review honoree
GITEA · FORGEJO · siege

One bug.
A supply-chain blast radius.

Same vulnerability in Gitea and Forgejo — shared codebase. Codeberg runs Forgejo and hosts ziglang/zig, putting the Zig programming language's supply chain in the blast radius.

  1. Gitea
  2. Forgejo
  3. Zig
ROCKET.CHAT · 45k ★ · siege

Live session tokens. Private PII.

Numerous unauthenticated high/critical disclosing live access tokens and sensitive PII.

ISPConfigRoot RCE
380k+ deployments
MinIOCVE-2026-40344CVE-2026-41145
60.7k ★ · 400k+ deployments
CKANSQL Injection
5k ★ · used by numerous governments
+ more
othersunder embargo

“We really like how simple, clear and impactful your reports are.”

— Google Cloud VRP
§ 03 — SERVICES

Three engagements.

Pick the one that fits the problem you're trying to solve.

01 / PENETRATION TEST · siege

Blackbox.

Pentest your production. Same harness that earned #16 on Google's Hall of Fame.

Scope this
02 / SOURCE REVIEW · siege

Whitebox.

Audit your source end-to-end. Same harness that found bugs in Gitea, MinIO, and Rocket.Chat.

Scope this
03 / CONSULTING

Consulting.

Threat modelling, design reviews, privacy assessments.

Scope this
§ 05 — THE TEAM

The team behind siege.

Arvin Shivram
FOUNDER · PRINCIPAL RESEARCHER

Arvin Shivram

Most of Arvin's public record is in the Google Vulnerability Reward Program — top 20 of all time, north of half a million US dollars in paid bounties across hundreds of reports, and recognition in Google's 2025 Year in Review.

His findings include a bug that leaks the phone number behind any Google account, a YouTube flaw exposing emails of 2.7 billion users, and remote code execution inside Borg, Google's production cluster manager.

siege has since caught bugs in Gitea, Forgejo, MinIO, ISPConfig, Rocket.Chat, and CKAN.

NEW ENGAGEMENT

Name your target.

Send us a rough scope. We reply within one business day with a fixed quote.

Or email contact@brutecat.com with your own words. PGP key →