Original research, organized by theme
47+ cybersecurity analyses clustered by what they cover. Jump straight to compliance research if you are preparing for an audit. Threat intel if you are tracking current adversary behavior. Platform security if you are architecting a stack.
Compliance & Regulatory9 posts
Regulatory frameworks decoded: what changed, what the auditors check, what the fines are when you get it wrong.
See all 9 compliance & regulatory posts →PCI DSS 4.0: The March 2025 Mandate That's Still Biting E-Commerce
PCI DSS 4.0 became mandatory March 31, 2025. A year later, e-commerce merchants are still flunking compliance assessments, QSAs are being stricter, and payment processors are issuing non-compliance notices. A practical walkthrough of what actually changed from 3.2.1, the requirements biting merchants hardest, and how to actually pass a 4.0 assessment.
What ChatGPT, Claude, and Gemini Actually Keep About You
Every AI chatbot retains your conversations. Retention periods, training use, law enforcement access, and breach history vary dramatically. A practical data privacy map of ChatGPT, Claude, Gemini, Copilot, Grok, and Meta AI — including the NYT v. OpenAI court order requiring indefinite retention.
Your Encryption Has an Expiration Date
Every HTTPS connection, Signal chat, and VPN on the internet relies on crypto that quantum computers will break. NIST finalized the replacements in 2024. A post-quantum cryptography migration guide for application security and compliance teams.
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware attacks to double-extortion, and what it means for incident response and cyber insurance.
Clearview AI's Privacy Settlement: Victims Are Now Shareholders
Clearview AI scraped 30+ billion photos from public internet to build a facial recognition system sold to law enforcement. A landmark $52 million ACLU settlement followed. A data privacy and facial recognition investigation.
$438 Million Stolen: The LastPass Breach Three Years Later
The LastPass breaches cost users $438 million in cryptocurrency theft and destroyed enterprise trust in cloud password managers. A deep dive into the breach timeline, architectural failures, and password manager security comparisons.
The $434 Billion Industry That Knows Where You Sleep
The US data broker industry is a $200+ billion economy selling everything from your home address to your health conditions. A data privacy investigation with opsec guidance for consumer cybersecurity.
Keycloak: Realm Configuration Tells You Everything
Keycloak is enterprise identity and access management — and a high-value target. Publicly exposed realms, enabled self-registration, and console access lead to full SSO compromise. A penetration testing guide to IAM security audits and incident response.
MongoDB: The Database That Ships Without a Lock
MongoDB deployed with --bind_ip 0.0.0.0 and no authentication is still being indexed by Shodan in 2026. The ransomware groups know it. A reminder of why database penetration testing and vulnerability assessments matter for compliance.
Threat Intelligence16 posts
How actual threat actors operate right now. Analysis of recent incidents, attack patterns, and defense implications.
See all 16 threat intelligence posts →Fake Americans, Real Influence: Inside State-Sponsored Propaganda
Russia's IRA reached 126 million Americans. China's GoLaxy leak revealed 3,692 AI personas targeting US officials. A threat intelligence investigation into foreign state propaganda operations and defensive opsec.
A Hacker Spent Two Years Earning Trust to Backdoor the Internet
The XZ Utils backdoor (CVE-2024-3094) was a near-miss supply chain attack three years in the making. Systemd's liblzma dependency turned into an SSH RCE by nation-state patience. A supply chain security and threat intelligence case study.
Every Person on the Video Call Was Fake: The $25.6 Million Deepfake Heist
In 2024, a Hong Kong finance worker wired $25.6 million after a deepfake video call with his CFO. Social engineering is entering a new era. Incident response and security awareness training for the deepfake threat era.
Anthropic Mythos Found Thousands of Zero-Days. Here Is What That Actually Means.
Claude Mythos autonomously found 595 crashes across 1,000 OSS repos, including a 17-year-old FreeBSD NFS RCE (CVE-2026-4747). What it actually does and why it matters for vulnerability research and threat intelligence.
Your AI Chatbot Is a Fancy Calculator. Here Is Why.
LLMs are next-token prediction engines, not reasoning machines. A technical takedown of AI sentience claims with implications for cybersecurity, social engineering, and threat intelligence.
16 Billion Credentials Leaked in 2025: The Infostealer Epidemic
Infostealer malware like RedLine, Raccoon, and Lumma exfiltrated 3.2 billion credential records in 2025. The silent pipeline between personal device compromise and corporate ransomware attacks. A threat intelligence and incident response analysis.
Your Phone Got Hacked and You Did Nothing Wrong
Pegasus, Predator, and other nation-state spyware deploy zero-click exploits that require no user interaction. A threat intelligence and mobile security explainer on NSO Group-class surveillance.
How North Korea Stole $6.75 Billion in Cryptocurrency
The Lazarus Group stole 60% of all cryptocurrency losses in 2024 — $1.34 billion from a single Bybit breach. North Korea's cyber operations directly fund nuclear weapons. A threat intelligence and incident response deep dive.
China Hacked America's Wiretap System. And They're Probably Still Inside
Chinese state-sponsored Salt Typhoon compromised US telecom carriers including AT&T, Verizon, and T-Mobile — the lawful intercept systems used for surveillance got owned. CISA called it the largest telecom hack in US history. A threat intelligence and nation-state cyber attack investigation.
SMS Two-Factor Is a $26 Million Lie
SIM swap attacks have stolen $200+ million in cryptocurrency from SMS-based 2FA users. Passkeys and hardware security keys are the only reliable defense. An authentication security and threat intelligence guide.
Jenkins: From Anonymous Read to Full RCE
Jenkins with anonymous read enabled exposes Groovy Script Console for authenticated remote code execution. Compromise one CI/CD server and you own every credential, every pipeline, every repo, every production deployment. A supply-chain attack and penetration testing walkthrough.
Sentry: Your Error Tracker Is Leaking Secrets
Sentry captures stack traces and error context, which routinely includes API keys, database URLs, and session tokens. Public Sentry orgs leak these during error reporting. A recurring finding in application security penetration tests and vulnerability assessments.
Platform Security4 posts
Deep-dive research on specific platforms — AWS, Supabase, Hasura, Clerk, Auth0, Kubernetes, and more. Real attack patterns, real hardening.
See all 4 platform security posts →AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.
Hasura GraphQL: Introspection, Auth Bypass, and Admin Secret Cracking
Hasura's permissive defaults, introspection-by-default, and shared-secret admin model make it a recurring finding on B2B SaaS penetration tests. A deep dive into GraphQL security audit patterns, row-level permission failures, and the hardening checklist for production Hasura deployments.
Argo CD: GitOps With Default Admin
ArgoCD dashboards exposed without auth leak Kubernetes cluster internals, deployment configurations, and sync tokens. A lateral movement vector that turns a single misconfiguration into full cluster compromise. A Kubernetes penetration testing and cloud security deep dive.
Grafana: admin/admin Still Works in 2026
Grafana dashboards with admin/admin default credentials are still everywhere. Once inside, attackers pivot to the datasources — Prometheus, PostgreSQL, Elasticsearch — and extract credentials. A common finding in vulnerability assessments and external penetration testing.
Consumer Privacy & Opsec17 posts
What surveillance actually looks like in 2026, what data is collected about you, and what you can do about it.
See all 17 consumer privacy & opsec posts →How 200 Companies Learn Everything About You in 100 Milliseconds
Real-Time Bidding broadcasts your browsing data to hundreds of companies in under 100ms per page load. A deep dive into browser fingerprinting, cross-device tracking, and online profiling with data privacy implications.
Your Ring Doorbell Gave Police Your Footage 11 Times Without Asking
Amazon Ring's integration with Axon and 2,500+ US police departments turned consumer doorbells into a warrantless surveillance grid. A data privacy and consumer cybersecurity investigation with opsec guidance.
Facebook Built a Profile on You Even If You Never Signed Up
Facebook maintains detailed shadow profiles of non-users through contact uploads, pixel tracking, and data broker feeds. You can't opt out of profiles you never agreed to create. A data privacy and consumer cybersecurity investigation.
20 Billion Scans a Month: The Camera Network Watching Every Car
Flock Safety ALPR networks cover 4,000+ US municipalities. Your car's movement is logged without a warrant and shared across jurisdictions. A data privacy and surveillance explainer with opsec guidance.
Your Car Knows Where You Went Last Tuesday at 3:47 PM
Modern cars collect driving data, location history, voice recordings, and biometric data. Insurance companies buy it through telematics brokers. A consumer cybersecurity and data privacy deep dive into automotive surveillance.
Your Smart TV Takes a Screenshot Every Half Second
Smart TVs run Automatic Content Recognition (ACR) that fingerprints every frame on your screen, including content from HDMI inputs. Samsung, LG, Vizio, and Roku all face lawsuits over this surveillance. A consumer cybersecurity and data privacy explainer.
VPN Reality Check: Who Actually Logs, Who Actually Protects
VPN marketing claims "military-grade encryption" and "complete anonymity." The reality is much narrower. A ranked breakdown of audited providers (Mullvad, Proton, IVPN, OVPN), providers caught lying in court, sketchy parent companies, and what a VPN can and cannot protect against in your actual threat model.
Encrypted Messengers Ranked: Signal vs WhatsApp vs iMessage vs Telegram vs Matrix
Not every 'encrypted messenger' is actually encrypted. A practical comparison of Signal, WhatsApp, iMessage with ADP, Telegram, Matrix, Session, and SimpleX — including metadata exposure, jurisdiction, open-source status, and E2EE default behavior for data privacy decisions.
Seven Government Surveillance Powers You Have Never Heard Of
Geofence warrants, keyword warrants, tower dumps, Stingrays, NSLs, and Section 702 are the surveillance mechanisms that don't require a classical warrant. A comprehensive data privacy and opsec investigation into modern government surveillance.
ICE Built a $300 Million Surveillance Machine
ICE's $22 billion surveillance apparatus integrates DMV records, utility data, Palantir Gotham, and data broker feeds. A data privacy and surveillance investigation with consumer cybersecurity implications.
Digital Forensics: Exactly What They Can Pull From Your Devices
Cellebrite and GrayKey extract every message, location, authentication token, and deleted file from your phone — when the device is in AFU state. A digital forensics deep dive into mobile security, BFU/AFU extraction, and GrapheneOS hardening.
What Police Can Actually Extract From Your Phone in 2026
Cellebrite and GrayKey extractions pull every message, photo, location, and authentication token from your phone. A digital forensics and consumer cybersecurity guide with opsec hardening tips.
Tools & Comparisons1 post
Honest comparisons of security tools, platforms, and frameworks. Which to use, when, and why.
See all 1 tools & comparisons posts →Research driving engagements
Our engagements apply the same research methodology to your environment. If you want the specific findings for your stack, start with a free security check.