Alisa Esage

Early Life and Education

Alisa Esage, born Alisa Andreeevna Shevchenko, is a Russian-born computer security researcher and entrepreneur. She has cited her father as the primary inspiration for her career, recalling that he taught her to solder at age five. She began reading books on computers and programming in early school and taught herself to code in C++ and x86 assembly language after receiving her first PC at age 15. A self-described "offensive security researcher," she was, according to a 2014 Forbes profile, more drawn to hacking than to conventional programming. She later dropped out of university to pursue work in the security field.

Career

Following her departure from university, Esage worked as a malware analysis expert at Kaspersky Labs for five years. In 2009, she founded her own company, initially called Esage Labs and later rebranded as ZOR Security — a Russian acronym for Цифровое Оружие и Защита, meaning "Digital Weapons and Defense."

Between 2014 and 2018, Esage was credited with discovering multiple zero-day security vulnerabilities in widely used software products from Microsoft, Mozilla Firefox, and Google. A portion of these vulnerabilities were responsibly disclosed through the Zero Day Initiative (ZDI) security bounty program, credited under various pseudonyms. In early 2021, she launched Zero Day Engineering, a professional training and consulting firm focused on advanced computer security and vulnerability research.

Notable Work and Competitions

In 2014, Esage took first place in the PHDays IV "Critical Infrastructure Attack" contest, also known as "Hack the Smart City," successfully compromising a mock smart city environment and identifying several zero-day vulnerabilities in Indusoft Web Studio 7.1 by Schneider Electric.

On April 8, 2021, Esage became the first woman to compete and win at Pwn2Own, the advanced hacking competition that has run since 2007. At Pwn2Own Vancouver 2021, she targeted Parallels Desktop for Mac version 16.1.3 with a zero-day exploit she developed independently, demonstrating a guest-to-host virtual machine escape with arbitrary code execution on a fully patched macOS system. The entry was designated a "partial win" by contest organizers on the grounds that the targeted software vendor had internal knowledge of the exploited vulnerability prior to the competition — a ruling that generated significant debate within the security community, with prominent figures calling for a revision of the relevant competition rules.

Her status as the first female participant was also briefly contested, though public records of Pwn2Own competitions, including official blog posts and livestream recordings, contain no documented mention of female participation prior to her 2021 entry. The competition's founder confirmed her historic status on Twitter.

Publications and Conferences

Esage has presented her research at multiple international security conferences, including RECON, Positive Hack Days, Zero Nights, POC x Zer0con, and Chaos Communications Congress. Her work has appeared in publications such as Virus Bulletin, Secure List, and Phrack Magazine. Notable publications include "Self-patching Microsoft XML with misalignments and factorials" in Phrack Magazine (issue 69, 2016), as well as several Virus Bulletin papers on topics including fuzzing for zero-day disclosure, cyber investigations, and malware case studies.

Controversy

ZOR Security, Esage's company, was placed on a United States sanctions list following accusations that it assisted efforts to interfere in the 2016 U.S. presidential election. Esage publicly stated that authorities had either misinterpreted the facts or been deceived, and U.S. officials have not publicly disclosed the specific basis for their belief that she worked with GRU-linked hackers or what she allegedly provided them.

Recognition

Esage has won several international advanced hacking competitions and has been featured across top-tier security industry publications. She is part Ukrainian.