Notes from the offensive side.
Field reports, methodology breakdowns, and unvarnished opinions from the team that runs continuous security on 280+ engineering stacks.
Everything we've published.
State of pentesting · Q1 2026
We analyzed 280 engagements across web, API, mobile, cloud, and smart contract scopes. Here is what the data shows about modern offensive testing.
Continuous security in CI / CD
A concrete walkthrough of how to wire security testing into your pipeline so it gates without slowing — including the failure modes nobody warns you about.
PTaaS vs bug bounty — when to use which
They look similar from a distance. They solve different problems. A practical framework for deciding which one — or which combination — fits your program.
OWASP Top 10 on a modern stack
The categories are stable. The exploits are not. Here is how the canonical Top 10 actually shows up in serverless, edge-runtime, and AI-augmented stacks.
How AI-assisted triage actually works
We use AI in the triage layer. Here's the honest version of what it does well, what it doesn't, and where the human still has the final word.
Retesting without friction
Most security workflows die at the verification step. Here is the workflow we built so retesting takes minutes, not weeks — and what we learned along the way.
New posts, every two weeks.
Field-reports, research breakdowns, and engineering notes. Zero sales spam, ever.
Get the newsletterReady to see the platform that powers these posts?
Most teams scope a pilot in a single 30-minute call. We'll walk through your stack and recommend the right starting surface.