Multi-tenant SaaS applications are a tricky beast. From the outside, they look like a single product, but underneath the surface, they’re hosting data and configurations for dozens, hundreds, somet...

There is a particular category of finding that stops you mid-test. Not because it is technically complex, but because of what you are looking at. A single unauthenticated GET request that returns l...

Imagine a standard Red Team engagement scenario. Where you somehow manage to compromise a single low-privileged on-premises user. You execute a series of classic post-exploitation manoeuvres: movin...

Cognisys was presented with a challenge: A locked-down Citrix environment. After logging into the machine, Cognisys was dropped onto a standard Windows desktop, but with significant restrictions. T...

Modern web applications rely heavily on automation. Email notifications, document processing alerts, and password recovery workflows are all common features designed to improve usability and stream...

In a true black-box assessment, the engagement begins with minimal information: a target URL and no prior knowledge of the application’s architecture, credentials, or codebase. During a recent enga...

Companies today pour fortunes into building digital fortresses. They deploy robust Web Application Firewalls, obsess over Zero-Trust architectures, and lock down their Identity and Access Managemen...

Sometimes the biggest breaches start with the simplest blind spots. During a recent engagement, we were handed what looked like an ordinary corporate portal, with a clean interface, a standard logi...

In late 2025 and early 2026, the cybersecurity landscape witnessed a disturbing trend involving the mass disclosure of Supabase API keys. This pattern came to a head when our team identified a mass...

A security professional working in the threat hunting domain recently identified a suspicious URL specifically targeting macOS users. The campaign appears to leverage a macOS variant of the well-kn...