This report is a summary of our public-facing security research findings from across the over 237 conference publications, technical blog posts, advisories, and tool releases published by researchers at NCC Group between January 1 2021 and December 31 2021.

A product of thousands of dedicated research days, the Report brings together hundreds of research publications and conference presentations, including 139 research papers, whitepapers, technical blog posts and advisories, 31 new open source tools & code releases, as well as 68 conference presentations.

In 2021, NCC Group’s researchers hacked drones out of the sky; attacked machine learning systems; advised US Congressional staffers about open source and supply chain security; helped improve recommendations made by the NSA and CISA; exposed a number of unsafe smart devices used in the home; released user-centric mobile privacy analysis tooling; discovered new vulnerability classes, and found many critical vulnerabilities in high-impact systems.

Senior Vice President and Global Head of Research at NCC Group, Jennifer Fernick said: “As an industry, we face a reckoning in which I believe that in 2022, we need to elevate ourselves toward taking a more scientific and rigorous approach to the study of information security cause and effect, and let go of the unspoken agreements, copycat risk-mitigations, hearsay “best practices,” and other unacceptable industry norms.”