Original research, organized by theme
117+ cybersecurity analyses clustered by what they cover. Jump straight to compliance research if you are preparing for an audit. Threat intel if you are tracking current adversary behavior. Platform security if you are architecting a stack.
Compliance & Regulatory20 posts
Regulatory frameworks decoded: what changed, what the auditors check, what the fines are when you get it wrong.
See all 20 compliance & regulatory posts →PCI DSS 4.0: The March 2025 Mandate That's Still Biting E-Commerce
PCI DSS 4.0 became mandatory March 31, 2025. A year later, e-commerce merchants are still flunking compliance assessments, QSAs are being stricter, and payment processors are issuing non-compliance notices. A practical walkthrough of what actually changed from 3.2.1, the requirements biting merchants hardest, and how to actually pass a 4.0 assessment.
What ChatGPT, Claude, and Gemini Actually Keep About You
Every AI chatbot retains your conversations. Retention periods, training use, law enforcement access, and breach history vary dramatically. A practical data privacy map of ChatGPT, Claude, Gemini, Copilot, Grok, and Meta AI. Including the NYT v. OpenAI court order requiring indefinite retention.
Your Encryption Has an Expiration Date
Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacements in 2024. A post-quantum cryptography migration guide for application security and compliance teams.
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware attacks to double-extortion, and what it means for incident response and cyber insurance.
EU NIS2 Directive: Why US Companies Need to Care
NIS2 became enforceable across EU member states in October 2024. It's Europe's biggest cybersecurity regulation since GDPR, covering 100,000+ entities across 18 critical sectors. And. Surprise to many US companies. It affects any non-EU company that provides services to EU customers in covered sectors. Penalties up to €10M or 2% of global revenue. A practical guide to whether NIS2 applies to you and what to do about it.
US State Data Privacy Laws 2026: The Complete Matrix Every Business Needs
If you do business in the US, you are likely subject to multiple state data privacy laws. California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and a growing list of states have active laws with enforcement authority. A practical matrix of what each law requires, the thresholds that trigger applicability, and the unified compliance approach that handles all of them.
Clearview AI's Privacy Settlement: Victims Are Now Shareholders
Clearview AI scraped 30+ billion photos from public internet to build a facial recognition system sold to law enforcement. A landmark $52 million ACLU settlement followed. A data privacy and facial recognition investigation.
Healthcare Ransomware in 2026: Why 118 Breaches in Two Months Is a Warning
118 healthcare data breaches in the first two months of 2026. 9.6 million patients affected. Healthcare is now the most targeted industry for ransomware. 22% of all attacks globally. A deep dive into the attack patterns, the regulatory pressure, the compliance landscape (including the proposed HIPAA pentest mandate), and what healthcare CISOs should be doing right now.
$438 Million Stolen: The LastPass Breach Three Years Later
The LastPass breaches cost users $438 million in cryptocurrency theft and destroyed enterprise trust in cloud password managers. A deep dive into the breach timeline, architectural failures, and password manager security comparisons.
Why Your Cyber Insurance Won't Pay: The Denial Patterns You Need to Know About
Cyber insurance premiums are up 50-100%. Policy exclusions have quintupled in six years. Payouts are routinely denied for reasons that aren't obvious until your claim is rejected. A detailed walkthrough of how carriers deny claims in 2026, the exclusions biting hardest, and what your organization should be doing to actually get paid when you need to.
The $434 Billion Industry That Knows Where You Sleep
The US data broker industry is a $200+ billion economy selling everything from your home address to your health conditions. A data privacy investigation with opsec guidance for consumer cybersecurity.
The SaaS Vendor Security Audit Checklist: What to Ask Before You Buy
Your organization uses 150+ SaaS vendors. Any one of them could be a breach that exposes your customer data. A practical procurement security audit checklist. The questions to ask every new SaaS vendor, the contract clauses that protect you, the ongoing monitoring that catches vendor degradation, and the decision framework for whether a specific vendor is worth the risk.
Threat Intelligence32 posts
How actual threat actors operate right now. Analysis of recent incidents, attack patterns, and defense implications.
See all 32 threat intelligence posts →Node.js April 2026 Security Release: Every CVE Explained, What to Patch First
Node.js shipped v24.14.1 LTS and v25.9.0 on March 30, 2026 with seven security fixes. Fastify followed with three patches. Next.js dropped v16.1.7 and v15.5.13 with five fixes. Here is the technical breakdown of every CVE and the priority order for patching.
Fake Americans, Real Influence: Inside State-Sponsored Propaganda
Russia's IRA reached 126 million Americans. China's GoLaxy leak revealed 3,692 AI personas targeting US officials. A threat intelligence investigation into foreign state propaganda operations and defensive opsec.
A Hacker Spent Two Years Earning Trust to Backdoor the Internet
The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned into an SSH RCE by nation-state patience. A supply chain security and threat intelligence case study.
Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist
In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era. Incident response and security awareness training for the deepfake threat era.
The Backup Strategy That Actually Survives Ransomware in 2026
Most backup strategies fail against modern ransomware. Attackers encrypt backups before encrypting production. Here is the 3-2-1-1-0 backup architecture that actually works and the specific configurations that prevent the attacker from destroying your recovery path.
Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.
Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.
Your AI Chatbot Is a Fancy Calculator. Here Is Why.
LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecurity, social engineering, and threat intelligence.
Supply Chain Attacks in Early 2026: The Pattern Across Four Major Incidents
Q1 2026 saw four major software supply chain incidents: a targeted npm package takeover, a compromised GitHub Actions marketplace action, an IDE extension dropped malicious code, and a container image registry pushed back-doored images. The pattern tells us what defenders need to prioritize.
Claude Mythos 2 Preview: What Anthropic Just Shipped for Cybersecurity
Anthropic's April 2026 preview of Claude Mythos 2 claims breakthrough autonomous vulnerability research. We dig into what it actually does, what it does not, and what it means for pentest firms, bug bounty programs, and the 0-day market.
Okta Rate Limit Abuse in 2026: What Scattered Spider Is Doing Now
Scattered Spider evolved their Okta-targeted attacks after the 2023-2024 MGM and Caesars incidents. April 2026 intelligence shows the group hitting Okta tenants through a narrow rate-limit bypass plus social engineering of help desk staff. Here is what we are seeing and the detection rules that work.
Tor Browser Hardening: What the Defaults Don't Protect You From
Tor Browser out of the box is the strongest anonymity tool available to consumers. It's also defeated regularly by users who think downloading it is enough. A practical guide to what Tor actually protects against, the common mistakes that deanonymize users, and the configuration and operational changes that make Tor usable as a real privacy tool.
16 Billion Credentials Leaked in 2025: The Infostealer Epidemic
Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.
Platform Security23 posts
Deep-dive research on specific platforms. AWS, Supabase, Hasura, Clerk, Auth0, Kubernetes, and more. Real attack patterns, real hardening.
See all 23 platform security posts →OAuth 2.1 Migration in 2026: What Actually Changed and How to Move
OAuth 2.1 is the consolidated successor to OAuth 2.0 that deprecates the grant types that caused most real-world security bugs. The IETF draft became final in early 2026. Here is what changed, what to migrate first, and the specific patterns we see failing most often.
macOS Enterprise Hardening in 2026: The Configuration Beyond MDM Defaults
Apple's macOS is increasingly dominant in enterprise fleets. Security, design, finance, and executive teams ship on Mac. The default MDM configurations miss several important hardening controls. Here is the 2026 macOS enterprise hardening baseline.
Kubernetes Admission Controllers: The Policy Layer Most Clusters Forget
Most Kubernetes clusters we audit have RBAC sort-of configured and NetworkPolicies mostly working. And wide-open admission policy. A compromised service account that can create pods can create privileged pods, mount the host filesystem, and escape containers. Here is the admission controller configuration that stops this.
PowerShell Security for Enterprises in 2026: The Configuration Every Windows Shop Needs
PowerShell is the most powerful administrative tool on Windows and the most powerful post-exploitation framework for attackers. The enterprise configuration that enables defenders without disabling attackers is narrow. Here is the exact configuration that works in 2026.
Microsoft Entra ID Conditional Access: The 8 Gaps We Find in Every Audit
Microsoft Entra ID Conditional Access is the primary security control for M365 / Azure-dependent organizations. After running dozens of Entra ID audits in 2025-2026, these are the 8 configuration gaps we find repeatedly. Most produce real risk.
Zero Trust for Fully-Remote Companies: A Real-World Playbook
Most Zero Trust guidance assumes you have a corporate office. For fully-distributed companies with no corporate network, the architecture looks different. Here is the 2026 playbook for 50-500 person remote-first companies.
Salesforce Experience Cloud: The Multi-Million Dollar Misconfiguration Problem
Salesforce Experience Cloud (formerly Community Cloud) continues to expose sensitive Salesforce data due to misconfigured guest user profiles and permissive sharing rules. The pattern has caused multiple 2024-2026 breaches. Here is how to audit your own deployment.
AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.
OpenSSH 10.0 Security Changes: What Enterprise Defenders Need to Know
OpenSSH 10.0 shipped in April 2026 with post-quantum key agreement by default, legacy algorithm removals, and changes to agent forwarding behavior. Here are the changes that matter for enterprise sysadmins and what to expect during rollout.
Hasura GraphQL: Introspection, Auth Bypass, and Admin Secret Cracking
Hasura's permissive defaults, introspection-by-default, and shared-secret admin model make it a recurring finding on B2B SaaS penetration tests. A deep dive into GraphQL security audit patterns, row-level permission failures, and the hardening checklist for production Hasura deployments.
MFA Fatigue Attacks in 2026: Why Number Matching Is Not Enough Anymore
Push notification MFA with number matching was the defense against 2022-2024 MFA fatigue attacks. Adversaries adapted. Here is what is working in 2026. And why FIDO2 and session-binding are now the floor, not the ceiling.
Auth0 Rules and Actions: The Hidden Code Execution Surface In Your Auth Provider
Auth0 runs your authentication. It also runs arbitrary JavaScript that your team (or past team members) wrote, triggered on every login. Auth0 Rules, Actions, and Hooks are code-execution surfaces that most organizations don't audit. A practical walkthrough of the attack patterns we find. Compromised Rules, leaky Actions, privilege escalation via metadata manipulation, and the hardening every Auth0 tenant needs.
Consumer Privacy & Opsec37 posts
What surveillance actually looks like in 2026, what data is collected about you, and what you can do about it.
See all 37 consumer privacy & opsec posts →Active Directory Tier Zero in 2026: The Privilege Boundary Every AD Audit Must Check
Microsoft's Active Directory administrative tier model turns 10 years old in 2026. Most enterprise AD environments still have not implemented it properly. Here is what Tier 0 means, why it matters, and the specific audit procedure that finds the gaps before attackers do.
DNS-over-HTTPS for Corporate Networks: The 2026 Tradeoffs
DoH in consumer browsers was the 2020-2023 story. DoH in enterprise networks is the 2026 story. A different set of tradeoffs between user privacy, security monitoring, and content filtering. Here is how defenders should think about it.
How 200 Companies Learn Everything About You in 100 Milliseconds
Real-Time Bidding broadcasts your browsing data to hundreds of companies in under 100ms per page load. A deep dive into browser fingerprinting, cross-device tracking, and online profiling with data privacy implications.
iCloud Forensics: What Apple Actually Gives Law Enforcement
Your iPhone is the most private consumer device ever built. Your iCloud backup is not. A practical walkthrough of what Apple does. And doesn't. Hand over when law enforcement subpoenas your account, why Advanced Data Protection changes everything, and the one-click setting most iPhone users still haven't enabled.
Ad Blockers That Actually Work in 2026 (and the Ones That Don't)
Google's Manifest V3 killed most ad blockers in 2024. Chrome now ships with gutted tracker-blocking capabilities. The good news. The good ones still work, they just aren't on Chrome anymore. A 2026 guide to the ad blockers that still meaningfully block ads and trackers, the ones that have been quietly neutered, and the DNS-level approach that works everywhere.
Google Takeout: The Full Audit of What Google Actually Has On You
Go to takeout.google.com and request all of your data. The archive will typically run 50 to 500 GB. It contains things you did not know Google was storing. Including 10+ years of location history, every Google Assistant voice command, and a complete index of what you've watched, searched, purchased, and typed. A practical walkthrough of what's in there and what to delete.
Corporate VPN vs Personal VPN: What Your Employer Can Actually See
When your company has you connect to a VPN for remote work, that VPN isn't for your privacy. It's for your employer's visibility. Every DNS query, every HTTPS connection, every packet going through a corporate VPN can be logged and inspected. A practical walkthrough of what corporate VPNs actually do, what your employer sees, and why you should never run personal activities through them.
Your Kid's School Is Monitoring Everything: Gaggle, Bark, GoGuardian Explained
Your kid's school likely runs software that reads every email, monitors every Google Doc, scans every search, and uses AI to flag 'concerning' content. Gaggle, Bark, GoGuardian, and Securly are deployed in US K-12 schools covering roughly 20 million students. What the tools actually do, what they've gotten wrong, and what parents can (and cannot) opt out of.
Workplace Monitoring Software: What Your Employer Can Actually See
If you work remotely, there's a 70%+ chance your employer runs monitoring software on your work device. Hubstaff, Teramind, Veriato, ActivTrak, Time Doctor, and dozens more capture screenshots, log keystrokes, track location, and measure your productivity in ways most employees don't fully understand. What these tools actually see, what's legal, and how to know if you're being monitored.
Smart Home Threat Model: Every Device On Your Network, Every Attack Surface
The average American home now has 22+ connected devices. TVs, doorbells, thermostats, cameras, light bulbs, appliances, fitness trackers. Each one a tiny computer with varying security postures. A practical walkthrough of smart home attack surfaces in 2026, the devices most commonly compromised, and the network segmentation approach that actually works for consumers.
Strava Heat Maps: How Fitness Data Exposed Every Secret Military Base
In 2018, a 20-year-old student noticed Strava's global heat map glowed in places it shouldn't. Remote deserts, Arctic ice, supposedly-unoccupied Pacific atolls. He had found every classified military base on Earth by following soldiers who ran laps. Eight years later, Strava still leaks. A deep dive into fitness-data OSINT and what it means for your threat model.
Your Voice Is 3 Seconds From Being a Weapon: AI Voice Cloning in 2026
AI voice cloning scam success rates tripled in two years. The FTC logged 250,000 complaints in Q1 2026 alone, averaging $12,500 per victim. Three seconds of your voice is all it takes. A plain-English guide to how the attack works, who's being targeted, and three defenses that actually stop it.
Tools & Comparisons5 posts
Honest comparisons of security tools, platforms, and frameworks. Which to use, when, and why.
See all 5 tools & comparisons posts →Browser Isolation in 2026: Finally Worth Deploying at Scale
Browser isolation has been a niche enterprise product for a decade. In 2026, it finally makes economic and operational sense for mid-market deployments. Here is what changed, the vendor shootout, and the deployment patterns that work.
Directus Headless CMS: Role Escalation, File Library Exposure, and the Defaults That Bite
Directus is one of the most popular open-source headless CMS platforms, sitting behind thousands of production websites, mobile apps, and IoT data flows. It's also a recurring audit finding. Permission templates that don't scale, file library exposure, API access tokens with excessive privileges, and the Flows engine's hook execution that becomes an attack vector when misused.
CSPM Tools in 2026: Wiz, Prisma, Orca, Lacework, and the Cloud-Native Choice
Cloud Security Posture Management (CSPM) is the primary approach to finding misconfigurations across AWS, GCP, and Azure at scale. The market has consolidated around a few major players plus emerging CNAPP (Cloud-Native Application Protection Platform) offerings. A practical comparison of Wiz, Prisma Cloud, Orca, Lacework, and cloud-native alternatives. Plus the framework for choosing the right tool.
SAST vs DAST vs IAST vs SCA in 2026: What Actually Catches Bugs in Modern Codebases
Every enterprise AppSec program has some combination of SAST, DAST, IAST, and SCA tools. Most of them are misconfigured, noisy, or chasing the wrong vulnerabilities. Here is the real-world comparison for 2026, the tool shootout (Semgrep, Snyk, Checkmarx, Veracode, SonarQube, Contrast), and the integration patterns that do not drive engineers insane.
Clerk Auth: The unsafe_metadata Footgun
Clerk's unsafe_metadata field is client-writable by design. If your application security model reads role assignments from metadata without server-side validation, any authenticated user can escalate to admin. A practical penetration testing guide to finding and fixing this privilege escalation vulnerability.
Research driving engagements
Our engagements apply the same research methodology to your environment. If you want the specific findings for your stack, start with a free security check.