// Latest Thinking
Practical research, technical breakdowns, and field notes from the ctfwithai team.
Hardcoded credentials and long-lived API keys are among the most reliably exploited vulnerabilities in modern applications. Here is how to eliminate them systematically.
APIs are the attack surface that traditional web application testing frameworks were not designed for. Here is a structured methodology for finding what scanners miss.
WAFs provide useful defence-in-depth but they are not impenetrable. Understanding how WAF bypass works helps you configure and layer controls more effectively.
Supply chain attacks have moved from exotic threat to expected attack vector. We break down what made SolarWinds and XZ Utils so effective and what a proportionate response looks like.
Most SIEM deployments are drowning in false positives and missing real attacks. Detection engineering as a discipline changes that by applying software engineering practices to rule development.
Modern ransomware operations are sophisticated multi-stage attacks. Understanding each phase of the kill chain tells you exactly where defensive investment has the highest return.
IAM misconfiguration is consistently the top finding in cloud security assessments. We document the most exploitable patterns in AWS and GCP and show what secure configurations look like.
Active Directory remains the most targeted identity infrastructure in enterprise environments. We map the most common lateral movement paths and the controls that actually stop them.
Zero Trust is not a product you buy. It is an architectural philosophy that requires rethinking how identity, device posture, and network segmentation work together.
Prompt injection is not just a research curiosity. We document real attack patterns observed in production LLM deployments and show what effective mitigations look like.
Large language models introduce attack surfaces that conventional AppSec frameworks were not designed for. We break down all ten risks with real exploitation examples.
The terms are used interchangeably but they measure very different things. Here is how to scope the engagement that actually matches your threat model.
Most ISO 27001 implementations drown in documentation. We walk through how to achieve certification while building controls your team will actually maintain.