Security Research

SECURITY
intel.

Field notes from the engagements we run. Deep technical write-ups on the techniques attackers use and how to defend against them. No vendor fluff.

LOG

Latest articles.

Web Security
OWASP Top 10 (2021) Explained for Engineers

A practical walkthrough of every category in the OWASP Top 10 with real-world exploit examples and remediation guidance you can ship today.

12 min read · OWASP · Web
API Security
Five GraphQL Vulnerabilities We Find on Every Engagement

Introspection leaks, batching attacks, BOLA via nested queries, alias amplification, and mutation tampering — the GraphQL-specific bugs that bypass REST-era defences.

8 min read · GraphQL · BOLA
Cloud Security
The AWS IAM Misconfiguration That Exposes Your Entire Account

How a single over-permissive role combined with a public Lambda repeatedly leads to full AWS compromise — with detection rules to catch it.

9 min read · AWS · IAM
Compliance
PCI-DSS v4.0 Penetration Testing Requirements Explained

Requirement 11.4 in plain English — what your QSA expects, what counts as a qualified tester, segmentation testing scope, and how to choose a vendor.

10 min read · PCI-DSS · Compliance

By topic.

Web SecurityAPI SecurityCloudRed TeamComplianceOWASPAWSAzureGCPKubernetesGraphQL
Want this in your inbox?

TALK TO A
pen tester.

Working through a specific finding? Book a free 30-minute call with one of our engineers.

Book Free Scoping Call →All Services