Damn Vulnerable Drone
An intentionally vulnerable ArduPilot/MAVLink simulator. The open-source environment the industry uses to learn drone hacking. 402 stars on GitHub.
ASEC Research
Featured InvestigationAutonomous Systems
Adversarial Testing of Autonomous Platforms: The ArduPilot Attack Surface
A primer on adversarial testing for ArduPilot-based vehicles, from the MAVLink wire format up through the parameter store. Written for security teams who have to red team a platform they did not build.
Issue 01 in full
Twelve dispatches across drones, GraphQL, building automation, and the corners of offensive security where research and engagement meet. Filed under ASEC byline. All claims sourced or marked.
Ground Control Station Penetration Testing: A Methodology
A field methodology for adversarial testing of the operator workstation, the GCS application, and the operator network that ties them together. The autopilot is not where the operator lives. The GCS is.
RF Link Exploitation in Commercial UAS
A guided tour of the RF link between commercial unmanned aircraft and their operators, what the link actually protects, and what the realistic adversary can do with a USB SDR and a working knowledge of the relevant ISM bands.
Black Hat GraphQL
Attacking Next Generation APIs. The first hands-on book on offensive GraphQL security. No Starch Press, 320 pages.
Black Hat Bash
Creative scripting for hackers and pentesters. Bash for offensive Linux work, custom tooling, and living-off-the-land attacks. No Starch Press.
GraphQL Threat Matrix
An open framework for tracking the offensive surface of GraphQL server engines. The adopted reference structure across the community. 361 stars.
CrackQL
A GraphQL password brute-force and fuzzing utility. Built to surface authentication weaknesses in real-world GraphQL APIs. 346 stars.
GraphQL Hacking 101: Reconnaissance
The first move against any GraphQL endpoint: introspection, schema retrieval, and the maps every offensive researcher draws before they look for bugs.
Your Untested GraphQL API is a Ticking Time Bomb
Why most teams ship GraphQL without an offensive testing budget, and what the realistic blast radius looks like when the bill comes due.
Five Core Principles of Fighting Back in Security
The MapleSEC 2022 keynote. A pragmatic operator-grade view of how to think about programs in a "when not if" world.
Drone Security in the Field, US Talk 2025
A 2025 US conference talk on operational drone-pentest methodology, drawing on Damn Vulnerable Drone and field engagement learnings.
What we investigate
The practice operates across five overlapping research areas.
ASEC is a Toronto-based offensive-security firm. We treat engagements and research as one body of work. The drone-and-robotics line is the newest of the five, and it is the only one currently held by a Canadian commercial firm. Each area is owned by a named researcher and produces material that ships back into the open-source body of work the team has been building since 2015.
- 01
Autonomous systems offensive security
Drone, UAV, ground-robotics, and the ArduPilot / PX4 / ROS surface that connects them.
- 02
GraphQL API security
Practice anchored in Black Hat GraphQL, CrackQL, and the GraphQL Threat Matrix.
- 03
Building automation and smart-building security
BACnet, building management systems, and the IoT layer that operates them at scale.
- 04
Cloud, web, mobile, network, IoT
The bread-and-butter offensive surface across customer engagements.
- 05
Incident response and forensics
IR program design, table-tops, playbook development, and post-incident reconstruction.
Editor / Research Lead
Nick Aleks
Chief Hacking Officer, ASEC. Founder, DC416. Co-author of Black Hat GraphQL (No Starch, 2023) and Black Hat Bash (No Starch, 2024).
Nick has led the offensive-security practice at ASEC since 2015. His public body of work spans 37 open-source projects, with over 1,300 cumulative GitHub stars, two No Starch Press books, and a talk catalogue that includes the MapleSEC 2022 keynote, GraphQL Summit 2022, CanSecWest 2024, and a 2025 US drone-security talk. He founded DC416, the Toronto DEF CON chapter, in 2016, which celebrates its 10-year anniversary in 2026 with 2,880 active members.
The drone-and-robotics line that anchors this issue rests on a decade of hands-on work and on Damn Vulnerable Drone, the open-source ArduPilot/MAVLink simulator the industry uses to learn drone hacking. It is the moat artifact for the practice and the lead reference across this issue.
- 2 No Starch Press books
- 37 open-source projects
- 1,300+ cumulative GitHub stars
- MapleSEC 2022 keynote
- GraphQL Summit 2022
- CanSecWest 2024 DOJO
- Founder, DC416, Toronto, 10-year anniversary
- 2025 US drone talk
Affiliations
- CADSICanadian Association of Defence and Security IndustriesFederal defense industry voice
- ACDCAerospace, Cybersecurity, and Defence CoalitionSovereign-Canadian-controlled defense
- CCTXCanadian Cyber Threat ExchangeThreat-intel community with Big Six and telcos
- IN-SEC-MInnovation, Security and Excellence in Cybersecurity, Manufactured in CanadaNational cyber industry cluster