Dawid Moczadło
CTO & Co-Founder of Vidoc Security Lab
Security researcher and ethical hacker with a passion for finding and fixing vulnerabilities at scale. Ethically hacked the biggest tech companies in the world. A former No. 1 ethical hacker in Poland (by Microsoft) and a CTF competitor with team P4. Recognized as Forbes 30 under 30 honoree and featured in leading global media including Bloomberg, The Washington Post, CNBC and others.
Articles by Dawid Moczadło
11 articles published
April 14, 2026 (2d ago)
We Reproduced Anthropic's Mythos Findings With Public Models
Anthropic framed Mythos and Project Glasswing as proof that frontier AI vulnerability research now needs gated access. We tested the public, patched cases with GPT-5.4 and Claude Opus 4.6 and found that the key building blocks are already accessible outside Glasswing, while reliable operationalization remains the real moat.
April 7, 2026 (9d ago)
Claude Mythos Is a Backlog Visibility Warning for Enterprise Security Teams
Vidoc's take on Claude Mythos: large software organizations already sit on more unknown issues than current AppSec workflows can realistically discover and validate.
April 2, 2026 (14d ago)
We Analyzed the Leaked Claude Code Source: Here's What Anthropic Secured (and What They Didn't)
Anthropic accidentally leaked Claude Code's source. We read it so you don't have to: strong controls around the agent itself, but the software it writes is mostly left to the model's judgment. Full breakdown.
October 24, 2025 (5mo ago)
How we helped make Lovable more secure
A technical deep-dive into exploiting Firebase Auth emulator configuration via cookie injection, mixed-content bypasses, and subdomain trust boundaries - and how VIDOC helped Lovable secure their platform.
October 22, 2025 (5mo ago)
Detecting complex vulnerabilities in real-world code: LLM benchmark for enhanced software security
Traditional SAST tools often miss complex business logic flaws, but can LLMs fill the gap? Research publication by Klaudia Kloc and Dawid Moczadło introduces a real-world benchmark to evaluate AI effectiveness in identifying vulnerabilities that standard tools overlook.
August 18, 2025 (8mo ago)
Vibe Coding Security: 9 Real Vulnerabilities in AI-Generated Code (SQLi, XSS, Broken Auth & More)
AI-generated code ships fast but introduces predictable security holes: plain-text password storage, missing auth on new endpoints, SQLi from unsanitized inputs, and hallucinated packages (slopsquatting). Here's what to check and how to fix each one.
July 29, 2025 (8mo ago)
LLMs Can Now Find Zero-Day Vulnerabilities. Here's Why That's Both Impressive and Alarming.
Large language models can now reliably spot real-world zero-day vulnerabilities through brute-force iteration. We explain how it works, what it means for red teams, and why defenders should be paying close attention.
April 9, 2024 (2y ago)
State of Security Automation
SAST tools overlook more than 85% of CVEs in real-world scenarios. Outdated security automation can't keep pace with rapid code development. There is the hidden cost of security automation - validating false positives.
October 30, 2023 (2y ago)
Next.js 14 Security: Server Actions Auth Bypass, Data Leaks & What Taint API Won't Protect Against
Next.js 14 Server Actions look like magic but expose auth bypass and data leak vectors that traditional scanners miss entirely. We break down the risks and why the experimental Taint API isn't enough on its own.
October 24, 2023 (2y ago)
Escalating debug mode in Django to RCE, SSRF, SQLi
Security implications of DEBUG=true in Django. Learnings from an ethical hacker's perspective
May 16, 2022 (3y ago)
Hacking Swagger-UI - from XSS to account takeovers
We have reported more than 60 instances of this bug across a wide range of bug bounty programs including companies like Paypal, Atlassian, Microsoft, GitLab, Yahoo, ...