An independent security-research practice mapping India & APAC's exposed attack surface — leaking APIs, open OpenAPI specs, source-map and cloud exposure, and now self-hosted AI. Found at internet scale, proven by hand, written up so the insight survives the screenshot.
fa1c0n@recon ~ $ the thesis
The interesting part is never that something leaked. It's that the leak was working exactly as designed— the docs were doing their job, the cloud bucket was “internal,” the source map shipped to make debugging easier. Exposure is rarely a bug. It's a decision nobody remembers making.
What a single pass at India's address space gave up — and what each number actually means.
fa1c0n is an independent security-research practice focused on India & APAC's digital attack surface — vast, fast-growing, and still under-examined while most research keeps pointing at the US and EU.
The work is simple to state and hard to do well: find what's public but shouldn't be, prove it carefully, and report it in language that holds up — mapped to DPDP and ISO 27001 so the findings survive a real review.
Recon runs at internet scale; automation handles the breadth so the high-signal work gets proper attention. What the research keeps re-learning gets built into tools — the practice and its tooling grow together.
A research question, a collaboration, something you found, or a bug you want a second set of eyes on — it all reaches the same inbox, and it's read.