Research, study plans & articles
Written by the people who run the assessments — technical articles, a structured study plan, and practical playbooks, kept close to what actually happens on an engagement.
Recent technical writing
SQL Injection in 2026: why it still works and how to close it for good
A walkthrough of how modern SQL injection variants slip past basic input validation, and the layered defence — parameterised queries, least-privilege database accounts, and continuous testing — that actually closes the gap.
The misconfiguration patterns behind most cloud breaches
Overly permissive identity roles, public storage left open by default, and unmonitored service accounts show up in almost every cloud incident we investigate. Here's how to find them before an attacker does.
Securing ML pipelines: the endpoints your VAPT scope probably misses
Model endpoints, feature stores, and training data pipelines carry their own attack surface. A look at where they typically get overlooked in traditional application testing scopes.
Broken object-level authorisation: the API bug that keeps recurring
Why authorisation checks that work fine in manual testing quietly fail once an API scales, and the review pattern we use to catch it before it ships.
Hardening CI/CD: the pipeline secrets attackers look for first
A practical rundown of the credential and configuration mistakes we most often find during pipeline reviews, and the fixes that take under an hour.
A structured path from fundamentals to operations
Built for students, junior analysts, and teams who want a serious, sequenced curriculum instead of a scattered list of links — the same foundation our own consultants started from.
Fundamentals
Networking basics, operating system internals, common web technologies, and the core vocabulary of offensive and defensive security.
Network & application security
Web application vulnerability classes, API security, mobile app testing basics, and hands-on practice with manual testing techniques.
Cloud & operations
Cloud security fundamentals, detection and monitoring concepts, incident response basics, and how findings translate into a real report.
Short, practical, and immediately usable
These support both clients tightening their own environment and learners working through the study plan — written to be acted on the same day you read them.
Cloud-hardening checklist
A working checklist for identity permissions, storage configuration, and logging — the same items we check first on a cloud assessment.
Secure deployment patterns
Reference patterns for shipping application changes without introducing the pipeline and configuration issues we see most often.
Data-protection best practices
Practical guidance on classifying, storing, and handling sensitive data in a way that holds up to both attackers and auditors.
Incident response basics
A first-hours playbook for containing an incident and preserving evidence, written for teams without a dedicated response function yet.