Blog

Security Insights

Deep dives, expert analysis, and practical guidance on exposure management, adversarial validation, and the future of AI-driven exposure management.

Penetration TestingOffensive Security

How to Catch the Blind Bugs Scanners Miss

Out-of-band validation detects blind SSRF, blind SQLi, and out-of-band XXE that return no in-band response. Learn how it works and why it matters.

May 29, 202613 min

Application SecurityLLM Security

5 Vulnerabilities in Every Vibe-Coded App

The 5 security flaws AI coding assistants ship by default: missing authz, leaked secrets, weak JWTs, IDOR, eval RCE — with detection queries and fixes for each.

May 29, 202613 min

Penetration TestingOffensive Security

Black-Box Agentic Scanners: Strengths and Their Ceiling

Black box agentic pentesting finds real CVEs fast and proves them, but where does it hit a ceiling? An honest, category-level verdict.

May 29, 20268 min

LLM SecurityOffensive Security

Why AI-Generated Exploit Code Must Run in Isolation

Agent-written exploit code is the new RCE vector aimed at the tester. Here's why per-task isolation and egress control are non-negotiable.

May 29, 202613 min

What Is Agentic Pentesting - Complete Guide for Security Teams 2026

Penetration TestingOffensive Security

What Is Agentic Pentesting? The Complete Guide for Security Teams (2026)

Agentic pentesting uses specialized AI agents to test your entire attack surface in hours, not weeks. Here is how it works, what surfaces it covers, how safety is enforced, and how to evaluate platforms with real benchmarks.

May 28, 202619 min

CompliancePenetration Testing

ISO 27001 Penetration Testing Requirements

ISO 27001:2022 never names penetration testing, yet it is how you evidence Annex A 8.8 and 8.29 at a surveillance audit. The honest read on required vs expected, with the 2013 lineage and the Oct 2025 deadline.

May 20, 20268 min

The TanStack npm Attack That Punishes You for Fixing It — 170+ packages compromised, 84 malicious versions, 6 min publish window, 518M cumulative downloads

Supply Chain SecurityCybersecurity

The TanStack npm Supply Chain Attack That Hit 170 Packages and Punishes You for Revoking Your Token

The TanStack npm supply chain attack hit 12 million weekly downloads using three public techniques and zero novel code. Here is exactly how it worked.

May 13, 202613 min

CompliancePenetration Testing

PCI DSS Penetration Testing Requirements

PCI DSS v4.0.1 Requirement 11.4 is the rare standard that names penetration testing outright: internal and external annually plus after change, segmentation at 12 or 6 months, mandatory since 31 Mar 2025.

May 5, 20267 min

Data BreachesCybersecurity

Top 10 Data Breaches of April 2026

The biggest data breaches of April 2026 ranked and analyzed, from Checkmarx supply chain poisoning to Salesforce misconfigurations and ransomware hitting two major US banks.

May 1, 202615 min

CVEVulnerability Intelligence

Top 7 Critical CVEs of April 2026 You Need to Act On Now

The top CVEs of April 2026 were exploited in hours. Marimo RCE, Windows IKE, Fortinet EMS, GitHub GHES, ActiveMQ, and more. Attack scenarios, risk context, and fixes.

May 1, 202622 min

Checkmarx and Bitwarden supply chain attack: Your CI/CD pipeline is the attack surface

CybersecurityVulnerability Intelligence

Checkmarx and Bitwarden Just Showed That Your Pipeline Is the Attack Surface

How the Checkmarx supply chain attack compromised Bitwarden's CLI pipeline in four minutes, what was stolen, and the program design gap that made it possible.

Apr 29, 20267 min

CVEVulnerability Management

NIST Just Changed How It Tracks and Prioritizes CVEs

NIST has changed how it enriches CVEs in the NVD. Learn what the new risk-based triage model means for your vulnerability management program, scanner data, and remediation workflows.

Apr 29, 202613 min