ABOUT / FENRYX

We are the wolves,
not the prey.

FenryX was founded in Taipei in late 2025. We do one thing: find the vulnerabilities your organization doesn't know it has — using a genuine attacker perspective. We believe true defense can only be built by those who truly know how to attack.

2025Founded
10+Founding Clients
39ZeroDay Reports
100%Human Delivery
ORIGIN / 01

The Name's
Origin

FenryX takes its name from Fenrir, the great wolf of Norse mythology — a symbol of unbound force and unpredictable threat. We added "X" to represent our direction: unknown attack vectors, unexplored vulnerability surfaces.

MISSION / 02

Our
Mission

Attack is not destruction — it is the first step toward understanding weakness.

We believe the best way to build resilient systems is to understand how they can fail. By entering from an attacker's perspective, we help organizations find weaknesses and harden defenses before real threats arrive — turning every simulated attack into an accelerator for technical growth.

VALUES / 03

Our
Four Tenets

Every decision at FenryX — from hiring to scope of service to how we present reports — is governed by these four core values. Not a poster on the wall, but a commitment written into every SOW.

01
OFFENSIVE

Offense First

We approach every problem the way an attacker would. Defense begins with understanding how to attack.

02
EVIDENCE

Evidence-Driven

A vulnerability without a PoC is not a vulnerability. Every conclusion must be verifiable and reproducible.

03
PACK

Pack Mentality

No heroics. Team collaboration and information sharing are the true strength of any security team.

04
ETHOS

White Hat Ethos

We have the ability to break in — but more importantly, we know when to stop.

CERTIFICATIONS / 04

Held
Certifications

FenryX engineers hold industry-recognized offensive certifications. All technical capability is validated through real hands-on exams, not paper credentials.

CPTS badge
CPTS
CPTS
Certified Penetration Testing Specialist
Hack The Box
CWES badge
CWES
CWES
Certified Web Exploitation Specialist
Hack The Box
CJCA badge
CJCA
CJCA
Certified Junior Cybersecurity Associate
Hack The Box
PWPA badge
PWPA
PWPA
Practical Web Pentest Associate
TCM Security
eJPT badge
eJPT
eJPT
Junior Penetration Tester
INE Security
RESEARCH / 05

Security
Research

FenryX engineers have responsibly disclosed 39 vulnerabilities (including 2 CVEs) on the HITCON ZERODAY platform, covering real systems in healthcare, food & beverage, e-commerce, and industrial control sectors. All reports have been remediated. Organization names are anonymized per responsible disclosure principles.

ZD-2026-00409 ~ 00331
Critical Remediation in Progress
Healthcare SaaS Platform
8 vulnerabilities reported
  • ·Predictable JWT signing key — forged tokens bypass all API authentication
  • ·Unauthorized API access — thousands of medical institutions fully exposed
  • ·Prompt Injection — internal documents including bank account numbers leaked
  • ·Patient appointment records (name, ID, phone) accessible without authentication
ZD-2024-00979
Critical Vendor Remediation Complete
Restaurant Chain Group
1 vulnerability reported
  • ·Reversed APK revealed API access control flaw
  • ·Unauthorized access to all employee national IDs, home addresses, bank accounts, and salary data
2026
CVE-2026-6643 High ASUSTOR ADM Stack-based Buffer Overflow
ZD-2026-00491 Low E-commerce keyword parameter Reflected XSS
ZD-2026-00490 Medium Checkout remarks field Stored XSS
ZD-2026-00489 Medium Member profile page nickname/name Stored XSS
ZD-2026-00409 Critical API JWT signing key guessable — token forgery bypasses all auth
ZD-2026-00407 Critical Kibana monitoring platform publicly exposed — 230M records leaked
ZD-2026-00383 Critical Internal customer management API unauthorized access, plaintext passwords stored
ZD-2026-00382 High Unauthorized API access — business contracts and pricing data leaked
ZD-2026-00369 Critical Unauthenticated endpoint exposes clinic JWTs and patient appointment records
ZD-2026-00354 Critical Unauthenticated backend API leaks physician IDs and full medical institution data
ZD-2026-00344 High AI Copilot endpoint Prompt Injection leaks internal documents
ZD-2026-00343 High Webhook Logs API unauthorized — real-time LINE conversations exposed
ZD-2026-00331 Medium Unauthorized access to 128 business discount codes and pricing strategy
ZD-2026-00325 Critical Unsigned cookie authentication leads to arbitrary account takeover
2025
CVE-2025-13468 Medium Missing Authorization in Alumni Management System
ZD-2025-01436 High POS management interface exposed without authentication
ZD-2025-00620 Low Member system Reflected XSS
ZD-2025-00615 Medium Online learning platform SQL Injection and broken encryption
2024
ZD-2024-01519 Low Arbitrary enrollment certificate query
ZD-2024-01219 Medium Admin system SQL Injection
ZD-2024-01014 Low Member data disclosure
ZD-2024-00979 Critical APK reverse engineering revealed API access control flaw — full employee PII exposed
ZD-2024-00883 Medium Freezer controller management system improper access control
ZD-2024-00882 Critical Freezer controller management system RCE
ZD-2024-00801 Low Digital member platform information disclosure
ZD-2024-00785 Medium SQL Injection
ZD-2024-00777 Low CKFinder admin panel left exposed
ZD-2024-00042 Low Student dormitory messaging system access control flaw
ZD-2024-00019 Critical SQL Injection leading to RCE
ZD-2024-00017 Critical Information disclosure chained to RCE
ZD-2024-00016 High CKFinder admin panel exposed (high impact)
ZD-2024-00014 Medium Local File Inclusion
ZD-2024-00005 Low Student information disclosure
2023
ZD-2023-01040 Low .DS_Store file disclosure
ZD-2023-01039 High URL parameter SQL Injection
ZD-2023-00087 High Arbitrary file upload vulnerability
ZD-2023-00086 Medium Book recommendation system sensitive data disclosure and permission issues
2022
ZD-2022-00649 High Library arbitrary file upload
2021
ZD-2021-00264 Low Library security vulnerability
JOURNEY / 06

Our
Story

We are a new company, but we document every step. Here is FenryX's public timeline.

2025

FenryX Founded

Founded in Taipei by senior penetration testing engineers, with a mission to build real security defenses from a real attacker perspective.

2026

First Client Engagements

Began accepting founding client penetration testing engagements, all projects executed and delivered directly by the founders.

WORK · WITH · US

Ready to start
working together?

Tell us about your security needs. We'll get back to you within 3–5 business days.

Contact Us Our Services