security reporting
2 posts
Article
A project name is not a threat model
Project Glasswing has been named but not defined. Without stated scope, identity model, or controls, no security assessment is possible.
Article
Stop counting findings
Pentest reports are calibrated to finding count, not exploitability. The metric the buyer evaluates becomes the work product.