Skip to content

Blog

Field notes from the offensive side

Practical writing on penetration testing, attack techniques, and the compliance frameworks that reference them.

LatestRed TeamingJul 13, 2026 · 4 min read

Offense in Depth in Red Team Operations

Defense in depth layers protection. Offense in depth layers attack paths so a red team still reaches its objective when one route fails. Here is how it works.

Read the article
Proactive SecurityJun 29, 2026

Security Between Penetration Tests

An annual pentest covers two weeks and leaves fifty uncovered. Here is how to secure the rest of the year without waiting for the next scheduled engagement.

Read4 min read
AI/ML PentestingMay 29, 2026

The Limits of AI in Penetration Testing

AI is changing penetration testing, but it will not replace human testers. Here is what it does well, where it falls short, and why judgment still wins.

Read4 min read
Proactive SecurityMay 13, 2026

The Cost Savings of Proactive Security

Proactive security looks like pure cost until you price the breach it prevents. Here is the economic case for testing early, in terms a CFO will recognize.

Read4 min read
AI/ML PentestingApr 15, 2026

Penetration Testing for AI and LLM Systems

AI applications add attack surface that traditional testing misses. See how attackers target LLMs, from prompt injection to data leakage, and how to test them.

Read4 min read
AI/ML PentestingMar 26, 2026

Indirect Prompt Injection Explained

Indirect prompt injection hides attacker instructions in content an AI later reads. Learn how the attack works, why it is dangerous, and how to defend.

Read4 min read
Red TeamingFeb 20, 2026

Is Your Organization Ready for Red Teaming?

Red teaming rewards mature security programs and overwhelms immature ones. Here is how to tell if you are ready, and how to plan a scenario worth running.

Read4 min read
RansomwareJan 31, 2026

Ransomware: How Modern Attacks Actually Work

Ransomware is no longer just encryption. Here is how modern attacks unfold, why backups are not enough, and where penetration testing breaks the kill chain.

Read4 min read
AI/ML PentestingJan 15, 2026

Planning for AI Vendor Failure

AI startups fold, get acquired, and pivot constantly. If your product depends on one, here is how to stay resilient when your AI provider disappears or changes.

Read4 min read
GuidesDec 26, 2025

Application Security Myths, Debunked

Common myths quietly undermine application security programs. Here are the most persistent ones, and what actually holds up once you test them against reality.

Read4 min read
Application PentestingNov 23, 2025

The OWASP API Security Top 10, Explained

The OWASP API Security Top 10 names the risks that break real APIs. Here is what each category means in plain terms, and why authorization dominates the list.

Read4 min read
Application PentestingOct 29, 2025

API Security Best Practices

A practical guide to API security: authentication, authorization, rate limiting, input validation, and the design habits that keep your endpoints from leaking.

Read4 min read
GuidesOct 23, 2025

Penetration Testing Cost in 2026

What drives penetration testing cost: scope, test type, and timeline, plus realistic price ranges by engagement.

Read3 min read
Red TeamingSep 16, 2025

How to Prepare for a Red Team Engagement

Is your organization ready for a red team? Signs of readiness, how objectives and scenarios are set, and what to expect from kickoff through the final readout.

Read2 min read
Red TeamingAug 24, 2025

Crafting Realistic Red Team Scenarios

A red team is only as valuable as its scenario. Learn how to design intelligence-driven, realistic scenarios modeled on the threats that actually target you.

Read4 min read
Red TeamingAug 7, 2025

Getting the Most From a Red Team

The value of a red team is in what you do after it. Here is how to turn an exercise into lasting improvement through debriefs and real follow-through.

Read4 min read
AI/ML PentestingJul 20, 2025

How Integrations Expand the LLM Attack Surface

An LLM becomes far more dangerous the moment you connect it to tools and data. Here is how integrations expand the attack surface, and how to contain the risk.

Read4 min read
GuidesJun 27, 2025

SOC 2 Pentest Requirements Explained

Does SOC 2 require a penetration test? What auditors expect, what the report should include, and when to time testing.

Read3 min read
AI/ML PentestingJun 24, 2025

The OWASP Top 10 for LLM Applications, Explained

A plain-English guide to the OWASP Top 10 for LLM Applications: what each risk means, why it matters, and how to test your AI system against it.

Read3 min read
Application PentestingMay 29, 2025

Penetration Testing for SaaS Companies

SaaS platforms carry multi-tenant risk, aggressive release cycles, and enterprise buyers who demand proof. Here is how to test a SaaS product effectively.

Read4 min read
Application PentestingMay 27, 2025

Cloud Application Security: A Practical Guide

A practical guide to cloud application security: the shared responsibility model, the risks that actually cause cloud breaches, and how to test for them.

Read3 min read
Application PentestingMay 14, 2025

Shifting Security Left in the SDLC

Shift-left security moves testing earlier in the development lifecycle, where flaws are cheap to fix. Here is what it means in practice and how to do it well.

Read4 min read
AI/ML PentestingApr 10, 2025

Adversarial Machine Learning: Key Terms

A plain-English glossary of adversarial machine learning: evasion, poisoning, model inversion, extraction, and the other terms security teams need to know.

Read4 min read
Red TeamingApr 8, 2025

Defensive vs Offensive Security: The Difference

Defensive vs offensive security explained: what each approach does, how blue teams and red teams differ, and why you need both to actually stay secure.

Read3 min read
Proactive SecurityMar 18, 2025

CTEM: Continuous Threat Exposure Management

CTEM is a framework for continuously finding and reducing exposure instead of testing once a year. Here is what its five stages mean and how to put it to work.

Read4 min read
GuidesMar 18, 2025

The Ultimate Penetration Testing Checklist

A practical penetration testing checklist covering scoping, pre-engagement, testing coverage, reporting, and remediation, so your next pentest is thorough and audit-ready.

Read5 min read
Red TeamingMar 4, 2025

Red Team vs Blue Team: The Difference

Red team vs blue team explained: what each does in cyber security, how they differ, where purple teaming fits, and how red teaming compares to penetration testing.

Read3 min read
Proactive SecurityFeb 25, 2025

External Attack Surface Management (EASM), Explained

What external attack surface management (EASM) is, why your internet-facing footprint keeps growing, and how it works alongside penetration testing.

Read3 min read
GuidesFeb 24, 2025

Building a Secure Code Review Program

Secure code review finds flaws automated scanning misses, at the source. Here is how to build a program that scales without slowing your engineers down.

Read4 min read
GuidesFeb 11, 2025

PCI DSS Compliance Checklist

A practical PCI DSS compliance checklist covering all 12 requirements, scoping your cardholder data environment, and the penetration testing PCI requires.

Read4 min read
Application PentestingFeb 8, 2025

A Layered Approach to AppSec Testing

No single test secures an application. Learn how SAST, DAST, pentesting, and code review fit together into a layered application security testing strategy.

Read4 min read
GuidesJan 25, 2025

How to Scope Your First Penetration Test

A step-by-step guide to scoping your first penetration test: what to define, what to expect on a scoping call, and mistakes to avoid.

Read3 min read
GuidesJan 14, 2025

Security Risk Assessment: A Practical Guide

What a security risk assessment is, how it differs from a penetration test, the steps involved, and how it fits compliance frameworks like SOC 2, ISO 27001, and HIPAA.

Read3 min read
GuidesJan 7, 2025

IT Security Audit: What It Is and How It Works

What an IT security audit is, what it covers, how it differs from a penetration test, and how information security audit services support SOC 2, ISO 27001, and HIPAA.

Read3 min read
GuidesDec 30, 2024

Types of Penetration Testing: A Complete Guide

The main types of penetration testing by target (web, API, mobile, network, cloud, hardware, social) and by method (black, white, and grey box), and how to choose.

Read3 min read
AI/ML PentestingDec 21, 2024

Balancing LLM Security and Usability

Lock an AI assistant down too hard and it becomes useless; too loose and it becomes a liability. Here is how to find the balance between security and usability.

Read4 min read
GuidesDec 10, 2024

Cloud Security Best Practices

The cloud security best practices that actually prevent breaches: identity, data protection, configuration, monitoring, and testing, in priority order.

Read3 min read
Proactive SecurityDec 1, 2024

Proactive Security: Finding Risk First

Reactive security waits for the alarm. Proactive security finds and fixes weaknesses before attackers reach them. Here is what the shift looks like in practice.

Read4 min read
GuidesNov 19, 2024

Automated vs Manual Penetration Testing

Automated penetration testing is fast and cheap, but it misses the flaws that cause breaches. Here is what automation catches, what it cannot, and the right blend.

Read3 min read
Application PentestingNov 5, 2024

Web Application Security Testing: The Complete Guide

The types of web application security testing (SAST, DAST, IAST, SCA, and manual penetration testing), what each catches, and how to combine them effectively.

Read3 min read
Application PentestingNov 2, 2024

API Penetration Testing: A Complete Guide

What API penetration testing covers, which vulnerabilities matter most, and how to scope a test for REST, GraphQL, and internal APIs before attackers strike.

Read4 min read
GuidesOct 27, 2024

NYDFS 23 NYCRR 500: What Penetration Testing Does the Regulation Actually Require?

A practical guide to the penetration testing and vulnerability assessment requirements in New York's NYDFS Cybersecurity Regulation (23 NYCRR 500) for covered financial entities.

Read2 min read
Application PentestingOct 8, 2024

The OWASP Mobile Top 10, Explained

A plain-English guide to the OWASP Mobile Top 10: the most critical mobile app security risks for iOS and Android, and how to test your app against them.

Read3 min read
Application PentestingSep 16, 2024

The Risk of Malicious Connected Apps

OAuth connected apps can read your email and files without ever touching your password. Here is how malicious integrations work and how to limit the damage.

Read4 min read
GuidesSep 16, 2024

Penetration Testing vs Vulnerability Scanning

Penetration testing vs vulnerability scanning vs vulnerability assessment: what each one is, how they differ, and when you need which. A clear, practical comparison.

Read3 min read
GuidesAug 31, 2024

Application Security Program Maturity

How mature is your application security program? A practical checklist across five levels, from ad hoc to optimized, and how to move up to the next one.

Read4 min read
Application PentestingAug 13, 2024

The Security Risks of Vibe Coding

AI can generate working code from a prompt in seconds. It can generate insecure code just as fast. Here are the risks of vibe coding and how to ship it safely.

Read4 min read
GuidesJul 23, 2024

Getting Started with Application Security

Building an application security program from nothing is less about tools than sequence. Here is a practical first-90-days path that avoids the common traps.

Read4 min read

Put it into practice

Reading is good. Testing is better.

Tell us what to test and see your fixed price.

Prefer the full scoping questionnaire?

Get a Fixed-Scope Quote

Tell us what you need tested. We reply within one business day.