Companies are moving fast on LLM features. A chatbot gets added to customer support, an assistant gets embedded into an internal portal, or a model gets connected to business systems so it can “take action” instead of just answering questions. That shift changes the security model. With a traditional UI, your code decides what every button does. With an LLM interface, you are inserting a non-deterministic component into the middle of the application flow. The question stops being just “what can this feature do?” and becomes “what can someone make it do?” ...

One mistake we still see across engagements and write-ups: using arbitrary third-party domains like evil.com, attacker.com, victim.com, and target.com in security reports and proof-of-concept payloads. During active testing, you at least know what you are touching. The bigger problem is documentation. When a finding lands in a report, a developer or triager trying to reproduce it will often copy-paste the payload verbatim and not think to replace attacker.com with something safe. Real data leaves their environment and goes somewhere you do not control. ...

Even though agents are getting smarter by the day, and more companies are relying on automated testing, manual penetration testing still matters. Sometimes you need it to uncover things automation just won’t catch, like business logic issues. Other times, you’re validating findings from tools or agents that got you halfway there. Either way, at some point, you’re in Burp Suite doing things manually. And that’s where a lot of time quietly disappears, not on the “hard” parts, but on small, repetitive annoyances: ...

Introduction We’ve been using passwords since before we even had computers, the Romans had their watchwords [1] and even prohibition-era speakeasies relied on them to grant entry. In the modern world, any person who ever touches a computer knows what a password is. Every hacking scene in a movie involves someone guessing a password until the big “Access Granted” alert pops up followed by a moment of celebration and relief. ...

Source code reviews are one of the most effective — and most misunderstood — security practices. Many teams associate them exclusively with compliance requirements or heavy manual processes, but modern security reviews can be lightweight, practical, and deeply integrated into everyday development workflows. In this post, we’ll break down what a security-focused source code review really means, how it differs from traditional code reviews, and how teams can make it a high-impact part of their secure development lifecycle. ...

Fintech companies aim to modernize access to financial information and services, and commonly create applications that require interacting with third-parties such as banks. Given the slow adoption of standards and public APIs, the current landscape presents particular technical challenges that sometimes require creative solutions. This lack of open APIs leads to fintech applications having to scrape data to access the information available at the third-party financial institutions. Scraping will usually require the application to know the third-party user credentials (username and password), so the different flows (login, query profile, execute transaction, etc.) can be simulated. From a security perspective, having to be a custodial of these credentials presents a big risk, so designing an application that incorporates proper controls to safeguard this piece of information is key. ...