Placeholder: A JWT verifier that accepted alg:none in 2026
How a custom JWT implementation drifted from library defaults over three years and why the fix was one line but the finding was two hours.
Placeholder: GraphQL alias abuse as a rate-limit bypass
A technique that consistently defeats per-request rate limits on login mutations. Includes a taxonomy of where it hits hardest and how to fix it properly.
Placeholder: Indirect prompt injection via calendar invites
An AI scheduling assistant was trivially jailbroken by adding instructions in the notes field of an incoming meeting invite. What the attack looked like, what broke, and how to mitigate.
Placeholder: Tenant isolation gaps in 5 multi-tenant SaaS platforms
Patterns of cross-tenant flaws we kept finding across engagements. Coded to an anonymized dataset, focused on what was shared vs what should have been.
// real posts will live here · these cards are structural placeholders