Platform Security
Deep-dive research on specific platforms. AWS, Supabase, Hasura, Clerk, Auth0, Kubernetes, and more. Real attack patterns, real hardening.
31 posts in this cluster
building a real-time CVE detection-to-broadcast pipeline that hits X's 30-minute algorithmic velocity window
Engineering writeup of the Valtik flash-scanner pipeline we run in production. 26 RSS feeds polled every 10 minutes, 7-template rule-based drafter (not LLM, for cost + latency + hallucination reasons), 100-point validator that catches em-dashes and title-case dumps, auto-approve gate (validator score >=95 + CVE present + known vendor + 14-day dedup) that pushes 60-70% of drafts straight to live broadcast, real-time poster via xdk SDK, scheduled-drip fallback at 5am/9am/12pm PT. Three war stories included: the CVE dedup bug that posted PAN-OS twice (fix: dedup on the canonical id not the source URL), the OAuth1 token-scope footgun (fix: regenerate access token after flipping app perms, because tokens are baked at issue time and the X dev portal UI implies otherwise), and the 15-hour stuck-cron incident (fix: socket.setdefaulttimeout(10) at the top of every cron'd script). Plus the reply path that targets the algorithm's 75x weight for author-replies-to-replies, the highest single positive signal in the engagement graph.
A login bug where the password "null" works. The Note Mark OIDC bypass and what it teaches every auth team.
GHSA-pxf8-6wqm-r6hh: Note Mark's local-password endpoint accepted the literal string 'null' as a valid password for users who'd been migrated to OIDC. The hash field was NULL in the database; bcrypt.compare coerced both sides to the string 'null' and returned true. One null check would have prevented it. Walk through the bug, the broader pattern (any app that added SSO to a previously local-auth codebase), and the static + runtime detection rules every team should adopt.
Traefik shipped three authentication bypasses in 24 hours. The same root cause is in every reverse proxy.
Three high-severity Traefik advisories on April 25 2026: StripPrefixRegex Path/RawPath desync, forwarded-alias spoofing for pre-auth decisions, and ForwardAuth trustForwardHeader=false still leaking X-Forwarded-Prefix. All three are pre-authentication, all three let unauthenticated requests reach protected backends, and all three share the same root cause: edge and origin disagreed about what the request was. The same bug class lives in nginx, Envoy, HAProxy, and every CDN-fronted authenticated backend. Patch + audit guide.
Vercel Deployment Security: 10 Misconfigurations That Leak Secrets in 2026
Ten Vercel deployment misconfigurations we find repeatedly during penetration tests. NEXT_PUBLIC_* leaking service keys, preview deployments with production env vars, webhook handlers without signature verification, middleware path-smuggling bypass, unauthenticated API routes fanning out to paid third-party APIs, deployment-URL discovery of stale environments. Each with detection, exploitation, and fix.
OAuth 2.1 Migration in 2026: What Actually Changed and How to Move
OAuth 2.1 is the consolidated successor to OAuth 2.0 that deprecates the grant types that caused most real-world security bugs. The IETF draft became final in early 2026. Here is what changed, what to migrate first, and the specific patterns we see failing most often.
macOS Enterprise Hardening in 2026: The Configuration Beyond MDM Defaults
Apple's macOS is increasingly dominant in enterprise fleets. Security, design, finance, and executive teams ship on Mac. The default MDM configurations miss several important hardening controls. Here is the 2026 macOS enterprise hardening baseline.
Kubernetes Admission Controllers: The Policy Layer Most Clusters Forget
Most Kubernetes clusters we audit have RBAC sort-of configured and NetworkPolicies mostly working. And wide-open admission policy. A compromised service account that can create pods can create privileged pods, mount the host filesystem, and escape containers. Here is the admission controller configuration that stops this.
PowerShell Security for Enterprises in 2026: The Configuration Every Windows Shop Needs
PowerShell is the most powerful administrative tool on Windows and the most powerful post-exploitation framework for attackers. The enterprise configuration that enables defenders without disabling attackers is narrow. Here is the exact configuration that works in 2026.
Microsoft Entra ID Conditional Access: The 8 Gaps We Find in Every Audit
Microsoft Entra ID Conditional Access is the primary security control for M365 / Azure-dependent organizations. After running dozens of Entra ID audits in 2025-2026, these are the 8 configuration gaps we find repeatedly. Most produce real risk.
Zero Trust for Fully-Remote Companies: A Real-World Playbook
Most Zero Trust guidance assumes you have a corporate office. For fully-distributed companies with no corporate network, the architecture looks different. Here is the 2026 playbook for 50-500 person remote-first companies.
Salesforce Experience Cloud: The Multi-Million Dollar Misconfiguration Problem
Salesforce Experience Cloud (formerly Community Cloud) continues to expose sensitive Salesforce data due to misconfigured guest user profiles and permissive sharing rules. The pattern has caused multiple 2024-2026 breaches. Here is how to audit your own deployment.
AWS IMDS Attacks: SSRF to Role Credentials to Full Account Compromise
The Capital One breach ($190M settlement) exploited a textbook IMDSv1 SSRF attack to exfiltrate 106 million customer records. A deep dive into AWS Instance Metadata Service security, IMDSv1 vs v2, SSRF exploitation, enforcement SCPs, and the cloud penetration testing runbook we use on Valtik engagements.
OpenSSH 10.0 Security Changes: What Enterprise Defenders Need to Know
OpenSSH 10.0 shipped in April 2026 with post-quantum key agreement by default, legacy algorithm removals, and changes to agent forwarding behavior. Here are the changes that matter for enterprise sysadmins and what to expect during rollout.
Hasura GraphQL: Introspection, Auth Bypass, and Admin Secret Cracking
Hasura's permissive defaults, introspection-by-default, and shared-secret admin model make it a recurring finding on B2B SaaS penetration tests. A deep dive into GraphQL security audit patterns, row-level permission failures, and the hardening checklist for production Hasura deployments.
MFA Fatigue Attacks in 2026: Why Number Matching Is Not Enough Anymore
Push notification MFA with number matching was the defense against 2022-2024 MFA fatigue attacks. Adversaries adapted. Here is what is working in 2026. And why FIDO2 and session-binding are now the floor, not the ceiling.
API Security 2026: The Complete OWASP API Top 10 + Testing Methodology Guide
APIs are the highest-value attack surface for most businesses in 2026 and most frequently tested incorrectly. OWASP API Top 10 covers the specific failure patterns, almost every one is business logic that no scanner catches. This is the complete API security guide. Every OWASP category explained with real attack patterns. Authentication architecture shootout. Rate limiting patterns. API gateway tradeoffs. Testing methodology. 2026 emerging concerns (GraphQL, gRPC, event-driven, AI-integrated).
Auth0 Rules and Actions: The Hidden Code Execution Surface In Your Auth Provider
Auth0 runs your authentication. It also runs arbitrary JavaScript that your team (or past team members) wrote, triggered on every login. Auth0 Rules, Actions, and Hooks are code-execution surfaces that most organizations don't audit. A practical walkthrough of the attack patterns we find. Compromised Rules, leaky Actions, privilege escalation via metadata manipulation, and the hardening every Auth0 tenant needs.
Strapi CMS Security: JWT Forgery, Plugin Vulnerabilities, and the Default Admin Problem
Strapi is the most popular open-source headless CMS, with tens of thousands of production deployments. It's also a recurring finding on our platform audits. JWT secrets that can be guessed, plugin vulnerabilities that haven't been patched, admin panels exposed to the internet, and role permissions that commonly grant too much. A deep dive into the Strapi attack patterns and hardening.
PocketBase Self-Hosted: 7 Ways Your Backend Gets Owned
PocketBase is a self-hosted, single-binary open-source backend-as-a-service written in Go. It's elegant, fast, and shipping in thousands of projects. It also has a consistent pattern of misconfiguration we find on audits. Admin panels exposed, permissive record rules, auth bypass patterns, and hook misuse that turn a clean little binary into a data exposure.
AWS Cognito: Identity Pool Misconfiguration and the IAM Role Confusion Attack
AWS Cognito has two parts: User Pools (authentication) and Identity Pools (authorization for AWS services). Most Cognito security thinking focuses on User Pools. Password policies, MFA, account security. The much more dangerous failure mode is in Identity Pools, where misconfigurations let unauthenticated users assume IAM roles with excessive privilege. A deep dive into the role confusion attacks we find on Cognito deployments.
Webhook Forgery: Stripe, Twilio, SendGrid, and the Signature Verification Developers Always Get Wrong
Your payment processor sends you a webhook saying a customer paid. You mark their order fulfilled. Except nobody paid. An attacker forged the webhook. Webhook signature verification is the most commonly skipped, misimplemented, or silently-broken security control in modern web applications. The specific bugs we find on every audit and how to actually implement verification correctly.
Building a Bug Bounty Program in 2026: From Zero to Paying Researchers Without Ruining Your Week
Running a bug bounty program is not just launching on HackerOne and hoping for the best. We have seen programs burn through $2M in the first year because the scope was too broad and the triage process did not exist. Here is the 2026 playbook for launching a program that finds real bugs without destroying engineering velocity.
API Gateway Security: The Perimeter Most Organizations Forget to Harden
API gateways sit between your customers and your services. They handle authentication, rate limiting, routing, and often act as the edge of your entire platform. A compromised or misconfigured gateway is a compromised platform. A practical walkthrough of API gateway attack patterns. Kong, Apigee, AWS API Gateway, and self-hosted options. Plus the hardening that actually works.
SPF, DKIM, and DMARC in 2026: The Email Security Stack That Still Actually Works
Business email compromise costs US companies $2.9 billion a year. The defense is 30 years of email authentication standards that most companies still deploy incorrectly. Full config walkthrough for Gmail, Microsoft 365, and self-hosted with real DNS records, real BIMI setup, and the mistakes that silently break everything.
The 10 Kubernetes RBAC Misconfigurations We Find on Every Cluster Audit
Kubernetes RBAC is the primary access-control mechanism for every production cluster. And it's misconfigured on every single cluster we've audited. The 10 patterns we find every time, the exploitation paths each enables, and the tightening rules that stop them.
Argo CD: GitOps With Default Admin
ArgoCD dashboards exposed without auth leak Kubernetes cluster internals, deployment configurations, and sync tokens. A lateral movement vector that turns a single misconfiguration into full cluster compromise. A Kubernetes penetration testing and cloud security deep dive.
Secrets Management 2026: The Complete Guide to Vaults, Rotation, and Leaked-Credential Response
Every company has secrets. Nobody knows where. This is the complete 2026 secrets management guide. What counts as a secret. The 11 places they leak. Vault architecture shootout (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Doppler, Infisical). Rotation cadence. Dynamic secrets. Incident response for exposed secrets. Anti-patterns that persist everywhere.
Zero Trust Implementation: The Complete Multi-Year Playbook
You don't need Zero Trust. You need better identity, better segmentation, better device management, and better application access control. Zero Trust is what marketing calls that bundle. This is the complete ZTA implementation playbook. Pre-implementation assessment. Year-by-year roadmap. Five-pillar maturity model. Vendor shootout (Microsoft, Okta, Cloudflare, Zscaler, Netskope, Palo Alto, Cisco, JumpCloud). Seven anti-patterns that make programs fail.
Grafana: admin/admin Still Works in 2026
Grafana dashboards with admin/admin default credentials are still everywhere. Once inside, attackers pivot to the datasources. Prometheus, PostgreSQL, Elasticsearch. And extract credentials. A common finding in vulnerability assessments and external penetration testing.
Penetration Testing Methodology: The Complete Guide for Buyers and Testers
Methodology is the single most important factor in whether a pentest produces real security value. This is the complete methodology guide. PTES, OWASP Testing Guide, NIST SP 800-115, MITRE ATT&CK. All pentest types (external, internal, web app, API, cloud, red team, wireless, physical, social engineering). The seven phases in detail. How to evaluate a pentest firm before signing. Tool stack. Certification honesty. Our methodology.
Kubernetes Security: The Complete Hardening Guide for 2026
Every Kubernetes audit starts the same way. We land read-only kubeconfig access and within 45 seconds we have identified at least one ServiceAccount that can escalate to cluster-admin if the pod it runs in gets compromised. This is the complete 2026 Kubernetes hardening guide we walk through on every client engagement. Ten layers. API server, auth, RBAC, pod security, network policies, secrets, image security, supply chain, runtime detection, upgrade cadence.
Jump to another topic
Apply this research to your environment
Our engagements apply the same research methodology surfaced in these posts to your specific stack. Start with a free security check.