Notes from the audit floor.
Field reports, methodology, and the patterns we keep finding on real engagements. No vendor pitches.
Featured
Why scanners miss 30% of real findings
Automated scanners are loud but blind. The findings that actually break production — chained logic flaws, BOLA across tenants, signed-but-tampered cart items — only show up when a senior analyst sits with the application for a few hours.
Why scanners miss 30% of real findings
Automated scanners are loud but blind. The findings that actually break production — chained logic flaws, BOLA across tenants, signed-but-tampered cart items — only show up when a senior analyst sits with the application for a few hours.
OWASP Top 10 2026: what actually changed
The 2026 revision is more than a rename. Three categories merged, server-side request forgery moves up, and one new category captures supply-chain risk. Here's what your security review needs to cover.
Prepping for SOC 2 in 14 days: a runbook
Two weeks is tight but doable, if you bring the right inputs. Here's the day-by-day plan we use when a customer needs SOC 2 evidence for an enterprise deal closing in 14 days.
Why your CSP probably allows unsafe-inline
If your team has shipped a CSP, there's an 80% chance it includes `'unsafe-inline'` or `'unsafe-eval'`. Here's why that defeats the point — and how to migrate to nonces without breaking your analytics.
BOLA vs IDOR: the difference and why it matters
The OWASP API Top 10 calls it BOLA. Older write-ups call it IDOR. They overlap, but the framing leads to different fixes — and one of them is much more dangerous in practice.
Pen-testing CI/CD pipelines: a checklist
Your pipeline runs trusted code on production secrets. Most security reviews skip it entirely. Here's the 12-point checklist we run on every CI/CD audit.
When to ship a re-test certificate (and when not to)
Customers ask for the certificate on day one. We don't ship it until we'd put our name on it publicly. Here's the bar.
Reading a Burp Suite output: a 30-minute primer
Burp's Issue panel is dense and full of false positives. Most engineers skim past it. Here's how to triage the output efficiently — and which categories almost always need manual confirmation.