penetration testing
5 posts
Stop counting findings
Pentest reports are calibrated to finding count, not exploitability. The metric the buyer evaluates becomes the work product.
GTFOBins catalogues privilege misconfiguration
GTFOBins documents a structural property of Unix privilege: grants bind to binaries, not operations, and the gap is the escalation surface.
The Real Risk Isn't AI-It's Context Ignorance in Cybersecurity
AI-generated attacks fail in production due to unvalidated assumptions about access controls. The real risk isn't AI-it's context ignorance in cybersecurity operations.
The Router Is Not a Passive Device - It's the Attack Surface
Routers with default credentials and unpatched firmware are actively exploited due to lack of visibility and control. This post defines what failed, why it failed, and the systemic pattern that enables exploitation across infrastructure types.
AI-Driven Attacks Expose a Fundamental Control Failure
Large-scale automated login attempts in Q2 2024 highlight a critical control failure: identity enforcement at request boundaries. The real risk is not AI, but trusting input based on origin rather than verification.