Platform Security
Deep-dive research on specific platforms. AWS, Supabase, Hasura, Clerk, Auth0, Kubernetes, and more. Real attack patterns, real hardening.
23 posts in this cluster
OAuth 2.1 Migration in 2026: What Actually Changed and How to Move
OAuth 2.1 is the consolidated successor to OAuth 2.0 that deprecates the grant types that caused most real-world security bugs. The IETF draft became final in early 2026. Here is what changed, what to migrate first, and the specific patterns we see failing most often.
macOS Enterprise Hardening in 2026: The Configuration Beyond MDM Defaults
Apple's macOS is increasingly dominant in enterprise fleets. Security, design, finance, and executive teams ship on Mac. The default MDM configurations miss several important hardening controls. Here is the 2026 macOS enterprise hardening baseline.
Kubernetes Admission Controllers: The Policy Layer Most Clusters Forget
Most Kubernetes clusters we audit have RBAC sort-of configured and NetworkPolicies mostly working. And wide-open admission policy. A compromised service account that can create pods can create privileged pods, mount the host filesystem, and escape containers. Here is the admission controller configuration that stops this.
PowerShell Security for Enterprises in 2026: The Configuration Every Windows Shop Needs
PowerShell is the most powerful administrative tool on Windows and the most powerful post-exploitation framework for attackers. The enterprise configuration that enables defenders without disabling attackers is narrow. Here is the exact configuration that works in 2026.
Microsoft Entra ID Conditional Access: The 8 Gaps We Find in Every Audit
Microsoft Entra ID Conditional Access is the primary security control for M365 / Azure-dependent organizations. After running dozens of Entra ID audits in 2025-2026, these are the 8 configuration gaps we find repeatedly. Most produce real risk.
Zero Trust for Fully-Remote Companies: A Real-World Playbook
Most Zero Trust guidance assumes you have a corporate office. For fully-distributed companies with no corporate network, the architecture looks different. Here is the 2026 playbook for 50-500 person remote-first companies.
Salesforce Experience Cloud: The Multi-Million Dollar Misconfiguration Problem
Salesforce Experience Cloud (formerly Community Cloud) continues to expose sensitive Salesforce data due to misconfigured guest user profiles and permissive sharing rules. The pattern has caused multiple 2024-2026 breaches. Here is how to audit your own deployment.
AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.
OpenSSH 10.0 Security Changes: What Enterprise Defenders Need to Know
OpenSSH 10.0 shipped in April 2026 with post-quantum key agreement by default, legacy algorithm removals, and changes to agent forwarding behavior. Here are the changes that matter for enterprise sysadmins and what to expect during rollout.
Hasura GraphQL: Introspection, Auth Bypass, and Admin Secret Cracking
Hasura's permissive defaults, introspection-by-default, and shared-secret admin model make it a recurring finding on B2B SaaS penetration tests. A deep dive into GraphQL security audit patterns, row-level permission failures, and the hardening checklist for production Hasura deployments.
MFA Fatigue Attacks in 2026: Why Number Matching Is Not Enough Anymore
Push notification MFA with number matching was the defense against 2022-2024 MFA fatigue attacks. Adversaries adapted. Here is what is working in 2026. And why FIDO2 and session-binding are now the floor, not the ceiling.
Auth0 Rules and Actions: The Hidden Code Execution Surface In Your Auth Provider
Auth0 runs your authentication. It also runs arbitrary JavaScript that your team (or past team members) wrote, triggered on every login. Auth0 Rules, Actions, and Hooks are code-execution surfaces that most organizations don't audit. A practical walkthrough of the attack patterns we find. Compromised Rules, leaky Actions, privilege escalation via metadata manipulation, and the hardening every Auth0 tenant needs.
Strapi CMS Security: JWT Forgery, Plugin Vulnerabilities, and the Default Admin Problem
Strapi is the most popular open-source headless CMS, with tens of thousands of production deployments. It's also a recurring finding on our platform audits. JWT secrets that can be guessed, plugin vulnerabilities that haven't been patched, admin panels exposed to the internet, and role permissions that commonly grant too much. A deep dive into the Strapi attack patterns and hardening.
PocketBase Self-Hosted: 7 Ways Your Backend Gets Owned
PocketBase is a self-hosted, single-binary open-source backend-as-a-service written in Go. It's elegant, fast, and shipping in thousands of projects. It also has a consistent pattern of misconfiguration we find on audits. Admin panels exposed, permissive record rules, auth bypass patterns, and hook misuse that turn a clean little binary into a data exposure.
AWS Cognito: Identity Pool Misconfiguration and the IAM Role Confusion Attack
AWS Cognito has two parts: User Pools (authentication) and Identity Pools (authorization for AWS services). Most Cognito security thinking focuses on User Pools. Password policies, MFA, account security. The much more dangerous failure mode is in Identity Pools, where misconfigurations let unauthenticated users assume IAM roles with excessive privilege. A deep dive into the role confusion attacks we find on Cognito deployments.
Webhook Forgery: Stripe, Twilio, SendGrid, and the Signature Verification Developers Always Get Wrong
Your payment processor sends you a webhook saying a customer paid. You mark their order fulfilled. Except nobody paid. An attacker forged the webhook. Webhook signature verification is the most commonly skipped, misimplemented, or silently-broken security control in modern web applications. The specific bugs we find on every audit and how to actually implement verification correctly.
Building a Bug Bounty Program in 2026: From Zero to Paying Researchers Without Ruining Your Week
Running a bug bounty program is not just launching on HackerOne and hoping for the best. We have seen programs burn through $2M in the first year because the scope was too broad and the triage process did not exist. Here is the 2026 playbook for launching a program that finds real bugs without destroying engineering velocity.
API Gateway Security: The Perimeter Most Organizations Forget to Harden
API gateways sit between your customers and your services. They handle authentication, rate limiting, routing, and often act as the edge of your entire platform. A compromised or misconfigured gateway is a compromised platform. A practical walkthrough of API gateway attack patterns. Kong, Apigee, AWS API Gateway, and self-hosted options. Plus the hardening that actually works.
SPF, DKIM, and DMARC in 2026: The Email Security Stack That Still Actually Works
Business email compromise costs US companies $2.9 billion a year. The defense is 30 years of email authentication standards that most companies still deploy incorrectly. Full config walkthrough for Gmail, Microsoft 365, and self-hosted with real DNS records, real BIMI setup, and the mistakes that silently break everything.
The 10 Kubernetes RBAC Misconfigurations We Find on Every Cluster Audit
Kubernetes RBAC is the primary access-control mechanism for every production cluster. And it's misconfigured on every single cluster we've audited. The 10 patterns we find every time, the exploitation paths each enables, and the tightening rules that stop them.
Zero Trust Architecture in 2026: Past the Buzzword, Into the Implementation
Zero Trust has been a marketing term since 2014 and a budget line item since 2020. Here is what actually ships in 2026, NIST SP 800-207 in practice, the vendor shootout (Zscaler, Cloudflare, Netskope, Cato, Palo Alto), and the implementation mistakes that turn Zero Trust into a VPN with a nicer logo.
Argo CD: GitOps With Default Admin
ArgoCD dashboards exposed without auth leak Kubernetes cluster internals, deployment configurations, and sync tokens. A lateral movement vector that turns a single misconfiguration into full cluster compromise. A Kubernetes penetration testing and cloud security deep dive.
Grafana: admin/admin Still Works in 2026
Grafana dashboards with admin/admin default credentials are still everywhere. Once inside, attackers pivot to the datasources. Prometheus, PostgreSQL, Elasticsearch. And extract credentials. A common finding in vulnerability assessments and external penetration testing.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.