Web Pentest
OWASP Top 10 in 2026, business logic flaws, authentication bypasses, API security.
Module 7 · SAST, DAST, and Security in the CI/CD Pipeline
Why this module exists. SAST that produces 1000 false positives per scan trains developers to ignore findings. SAST tuned and triaged surfaces…
AcademyModule 6 · Dependency Security and SBOM Management
Why this module exists. Your application’s CVE exposure is mostly in its dependencies, not its own code. Managing that exposure requires inventory,…
AcademyModule 5 · Application-Level Cryptography — Avoiding the Common Mistakes
Why this module exists. Cryptographic primitives have safe defaults that produce safe outcomes if used correctly. Developers who deviate — even with…
AcademyModule 4 · Authentication and Session Management — Modern Patterns
Why this module exists. Modern authentication is not “username + password + check the DB.” It is a stack of OAuth flows,…
AcademyModule 3 · Input Validation and Output Encoding — Universal Defences
Why this module exists. The single highest-leverage developer education is the principle “structure separates code from data.” Input validation and output encoding…
AcademySecure Code Review at Scale
Per-PR vs feature-level vs deep-dive code reviews, OWASP Top 10 hunt patterns, Semgrep custom-rule programme, what humans find that tools miss, rollout…
AcademySecure Coding Across Languages
Language-specific secure-coding patterns — Python, Node/TS, Java, Go, Rust, PHP. Common pitfalls, safe alternatives, crypto patterns, dependency scanning.
AcademyApplication Security Programme and WAF Tuning
Building an AppSec programme that scales — maturity ladder, security champions, CI/CD security pipeline, tooling baseline, metrics, bug bounty, threat modelling integration.
Tools & TutorialsDOM-Based XSS in 2026: Modern Frameworks and Trusted Types
DOM-XSS in modern frameworks — vulnerable sinks (innerHTML, dangerouslySetInnerHTML, v-html, [innerHTML]). Source-to-sink analysis with Semgrep + Burp DOM Invader. The Trusted Types…
Tools & TutorialsCORS Misconfigurations: Deep-Dive on the Common Bypasses
CORS misconfiguration patterns — reflective Origin with Allow-Credentials, null Origin trust, permissive subdomain wildcards, regex bypasses. Test commands, the safe pattern, Express.js…