Practitioner-grade cybersecurity content
Technical playbooks, war stories, and how-to-think guides — written by practitioners, anchored to the Indian context.
Want structured, step-by-step learning instead? Explore the Academy (guided courses) or the AI security hub.
Latest articles
Most recent practitioner playbooks across every track. Filter by topic in the sidebar, or use search.
SIGINT for Defenders: Network Telemetry as Threat Intelligence
Defensive SIGINT — DNS DGA detection, DNS tunneling, beacon detection, exfiltration sizing, newly-registered domain queries. Splunk/SQL examples plus the Zeek + RITA…
Tools & TutorialsWebAssembly Security: The 2026 Attack Surface
Wasm security model — sandboxed VM, memory isolation. What's attackable — memory bugs in Wasm code, JS-Wasm boundary, side-channel, cryptojacking, server-side WASI…
Tools & TutorialsWeb Cache Poisoning: Hidden Inputs and Param Miner
Web cache poisoning via unkeyed inputs (X-Forwarded-Host, custom headers, cookies). Burp Param Miner workflow. Cache key configuration as the architectural fix.
Tools & TutorialsHTTP Request Smuggling: CL.TE, TE.CL, HTTP/2 Desync
Request smuggling variants — CL.TE, TE.CL, TE.TE with obfuscation, HTTP/2 desync. What attackers do (cache poisoning, auth bypass), Burp Smuggler workflow, HTTP/2…
Tools & TutorialsWebSocket Security: Cross-Site Hijacking, Auth Gaps, Channel Leakage
WebSocket attacks — CSWSH (cross-site hijacking), per-message auth gaps, input validation, rate-limiting absence, broadcast channel leakage. Burp + wscat testing workflow.
Tools & TutorialsAdvanced JWT Attacks: kid Path Traversal, JWE Confusion, JWK Trust
Beyond alg:none — kid path traversal, kid SQL injection, jku/x5u trust confusion, embedded jwk header attacks, JWE algorithm confusion. jwt_tool workflow.
Tools & TutorialsPrototype Pollution Exploitation in JavaScript
Prototype pollution in lodash, jQuery, custom merge utilities. Detection with Semgrep, exploitation paths (auth bypass, RCE chains), the safe-merge pattern with Object.create(null).
Tools & TutorialsCSP Bypass Techniques in 2026 and the Safe Defaults
CSP bypasses — JSONP on trusted CDN, AngularJS sandbox, unsafe-inline, wildcard sources, data: URIs, path-based bypasses. The nonce + strict-dynamic + Trusted…
Tools & TutorialsCORS Misconfigurations: Deep-Dive on the Common Bypasses
CORS misconfiguration patterns — reflective Origin with Allow-Credentials, null Origin trust, permissive subdomain wildcards, regex bypasses. Test commands, the safe pattern, Express.js…
Tools & TutorialsDOM-Based XSS in 2026: Modern Frameworks and Trusted Types
DOM-XSS in modern frameworks — vulnerable sinks (innerHTML, dangerouslySetInnerHTML, v-html, [innerHTML]). Source-to-sink analysis with Semgrep + Burp DOM Invader. The Trusted Types…