I can also confirm that Raytheon is building up this capability (although less so than Northrop and Lockheed).

If you're curious what companies are actually committing to vulnerability dev you can search any cleared jobs site for "offensive"; the companies that have listings are who you'd imagine them to be (minus a couple placement firms that just put people right at the Fort).