Cybersecurity notes
Blog
Practical write-ups on pentesting, OWASP, and the daily craft of offensive security.
SSL/TLS Hygiene in 2026: What to Fix Today
TLS 1.3 has been mandatory in spirit for years. Here is what an external scan still finds in 2026 on production sites, and which fixes are non-negotiable.
Auditing a WordPress Site in 30 Minutes
WordPress runs 40 % of the web. Most of those installs have at least one critical issue. Here is the half-hour audit that finds them.
Subdomain Enumeration: Going Wide Before You Go Deep
Why the first hour of a recon engagement should be subdomain enumeration, and how to do it without firing a thousand DNS queries at the target.
Spotting Phishing in 2026: Beyond the Obvious Signs
The classic phishing checklist (typos, weird URLs) catches almost nothing in 2026. Here is what actually distinguishes a phish from a legitimate email.
How to Prepare for OSCP: A Practical Guide
An honest, no-nonsense roadmap for passing the OSCP — the lab strategy that worked for me, the resources I'd repeat, and the ones I'd skip.
JWT Security Pitfalls: What Attackers Look For
JWTs are easy to use and even easier to misuse. The five mistakes I look for first when I see a Bearer token, and how to fix each one.
Security Headers: The Five That Actually Matter
Most security-header guides list twenty. Here are the five that actually change attacker behaviour, with the misconfigurations I see weekly.
Nmap Cheatsheet: Essential Flags for Pentesters
The Nmap flags I actually use on engagements — from quick discovery sweeps to slow OS-fingerprinting scans that don't trip the IDS.
What Is SQL Injection and How It Works
A practical walkthrough of SQL injection — what causes it, how attackers exploit it, and the parameterised-query pattern that kills it for good.