Practical guides for modern security
Honest writing on SOC 2 readiness, continuous compliance, vulnerability management, incident response, and the messy realities of keeping a regulated business secure.
Prompt Injection and Securing the AI Features You Ship: A Field Guide for Small Teams Building With LLMs
The moment your product calls a large language model, you have shipped a new and genuinely strange class of vulnerability — one where the attacker writes instructions in plain English and the model cannot reliably tell them apart from your own. This is not the risk of employees pasting data into chatbots; it is the risk of the AI features you build. A grounded walk through prompt injection, why the model confuses instructions with data, why giving the model tools turns a clever trick into real damage, and the controls that actually contain it.
Scoping a Penetration Test: Rules of Engagement That Get You a Useful Report Instead of an Expensive One
A penetration test is only as good as the conversation you have before it starts. Vague scope and missing rules of engagement are how teams end up paying for a report that tests the wrong things, misses what they actually needed, or — worse — takes down production. This is the pre-engagement discipline: defining scope, objectives, rules of engagement, and the authorization that separates a sanctioned test from a crime, so the money buys real assurance.
Dependency Confusion: When Your Build Trusts a Package You Never Meant To Install
Your build pulls hundreds of packages from public registries, and it decides which version to fetch by rules an attacker can game. Publish a malicious package with your internal name and a higher version number, and the build may reach past your private one and grab theirs. How a lean team pins, scopes, and watches the supply chain so the build installs only what you meant.
Subdomain Takeover: The Forgotten DNS Record That Hands Attackers Your Name
You spun up status.yourcompany.com on a cloud host, tore the host down months later, and left the DNS record pointing at nothing. An attacker can claim that abandoned infrastructure and serve their content — phishing, malware, cookie theft — under your subdomain, with your reputation. How a lean team finds and closes dangling DNS before someone else does.
The Web Supply Chain: The Third-Party Scripts Running on Your Customers' Browsers
Every analytics tag, chat widget, and payment script you embed runs with full access to the page your customers trust — including the checkout form. When a third-party script is compromised, the attacker skims your data from inside your own site. How a lean team inventories, constrains, and monitors the code it didn't write but still ships.
Standing Up a Vulnerability Disclosure Program (Without a Security Team)
A stranger finds a bug in your product and wants to tell you — and has no obvious way to do it. A vulnerability disclosure program is the cheap, high-signal channel that turns that goodwill into a tracked finding instead of a tweet. How a lean team sets one up with a security.txt file, a clear policy, and the workflow you already run.