Articles

Practical guides for modern security

Honest writing on SOC 2 readiness, continuous compliance, vulnerability management, incident response, and the messy realities of keeping a regulated business secure.

15 articles
Vulnerabilities11 min read

Prompt Injection and Securing the AI Features You Ship: A Field Guide for Small Teams Building With LLMs

The moment your product calls a large language model, you have shipped a new and genuinely strange class of vulnerability — one where the attacker writes instructions in plain English and the model cannot reliably tell them apart from your own. This is not the risk of employees pasting data into chatbots; it is the risk of the AI features you build. A grounded walk through prompt injection, why the model confuses instructions with data, why giving the model tools turns a clever trick into real damage, and the controls that actually contain it.

Paul HittJul 12, 2026
Vulnerabilities10 min read

Scoping a Penetration Test: Rules of Engagement That Get You a Useful Report Instead of an Expensive One

A penetration test is only as good as the conversation you have before it starts. Vague scope and missing rules of engagement are how teams end up paying for a report that tests the wrong things, misses what they actually needed, or — worse — takes down production. This is the pre-engagement discipline: defining scope, objectives, rules of engagement, and the authorization that separates a sanctioned test from a crime, so the money buys real assurance.

Paul HittJul 11, 2026
Vulnerabilities8 min read

Dependency Confusion: When Your Build Trusts a Package You Never Meant To Install

Your build pulls hundreds of packages from public registries, and it decides which version to fetch by rules an attacker can game. Publish a malicious package with your internal name and a higher version number, and the build may reach past your private one and grab theirs. How a lean team pins, scopes, and watches the supply chain so the build installs only what you meant.

Paul HittJul 1, 2026
Vulnerabilities7 min read

Subdomain Takeover: The Forgotten DNS Record That Hands Attackers Your Name

You spun up status.yourcompany.com on a cloud host, tore the host down months later, and left the DNS record pointing at nothing. An attacker can claim that abandoned infrastructure and serve their content — phishing, malware, cookie theft — under your subdomain, with your reputation. How a lean team finds and closes dangling DNS before someone else does.

Paul HittJun 28, 2026
Vulnerabilities8 min read

The Web Supply Chain: The Third-Party Scripts Running on Your Customers' Browsers

Every analytics tag, chat widget, and payment script you embed runs with full access to the page your customers trust — including the checkout form. When a third-party script is compromised, the attacker skims your data from inside your own site. How a lean team inventories, constrains, and monitors the code it didn't write but still ships.

Paul HittJun 26, 2026
Vulnerabilities8 min read

Standing Up a Vulnerability Disclosure Program (Without a Security Team)

A stranger finds a bug in your product and wants to tell you — and has no obvious way to do it. A vulnerability disclosure program is the cheap, high-signal channel that turns that goodwill into a tracked finding instead of a tweet. How a lean team sets one up with a security.txt file, a clear policy, and the workflow you already run.

Paul HittJun 21, 2026
Articles — Hosting Security