JWT verifier that accepted alg:none in 2026
How a custom JWT implementation drifted from library defaults over three years and why the fix was one line but the finding was two hours.
/ labs
Research from the offensive team.
Exploit writeups, CVE disclosures, and novel attack-class research from the same pentesters who sign off on our engagements.
GraphQL alias abuse as a rate-limit bypass
A technique that consistently defeats per-request rate limits on login mutations. Includes a taxonomy of where it hits hardest and how to fix it properly.
Indirect prompt injection via calendar invites
An AI scheduling assistant was trivially jailbroken by adding instructions in the notes field of an incoming meeting invite. What the attack looked like, what broke, and how to mitigate.
Tenant isolation gaps in 5 multi-tenant SaaS platforms
Patterns of cross-tenant flaws we kept finding across engagements. Coded to an anonymized dataset, focused on what was shared vs what should have been.
// research previews · full writeups published as disclosures clear