WatchTowr
Singapore-based offensive security firm that detected active CitrixBleed 3 reconnaissance in the wild before mass exploitation.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How early did WatchTowr detect CitrixBleed 3 exploitation attempts?
Timeline for WatchTowr
Detected active reconnaissance of CVE-2026-3055 in the wild
Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML broker- Did anyone spot CitrixBleed 3 being exploited before Citrix issued a fix?
- WatchTowr detected active reconnaissance against CVE-2026-3055 in the wild; CISA added the CVE to its KEV catalogue on 28 March 2026, confirming active exploitation.Source: WatchTowr / CISA
- What does WatchTowr do?
- WatchTowr is a Singapore-based offensive security firm providing attack-surface monitoring and CVE exploitation research. Its public disclosures feed into CISA KEV updates and national CERT advisories.
Background
WatchTowr confirmed active reconnaissance against CVE-2026-3055 (CitrixBleed 3) in the wild ahead of mass exploitation, making it the primary early-warning data point cited in CISA and NCSC advisories on the vulnerability. The firm is known for proactive scanning of internet-facing enterprise infrastructure and has published early exploitation data on several high-profile Citrix and edge-device CVEs.
Founded in Singapore and operating across the Asia-Pacific and European enterprise markets, WatchTowr provides attack-surface monitoring and offensive security research. Its public CVE disclosures and exploitation-activity reports are regularly cited by CISA's KEV catalogue updates and by national CERTs including the UK's NCSC.
In the CitrixBleed 3 window, WatchTowr's reconnaissance data arrived ahead of Shadowserver's broader scan statistics, giving defenders an earlier-than-usual signal. For enterprise security teams, independent offensive-research firms producing pre-exploitation telemetry have become a practical supplement to vendor advisories, which often lag actual exploitation activity.