Blog · Security Research · Field Notes

Offensive security deep-dives from the field.

Pen testing walkthroughs, compliance field notes, cloud attack chains and thought leadership from the CyberFortify offensive security team. Written by practitioners, for practitioners.

Topics: Pen Testing · Compliance · Cloud Security · API · Red Team Format: Technical deep-dives + strategic guides
Topics: OWASP Top 10 · PCI DSS v4.0 · SSRF Chains · BOLA · iOS Pinning Bypass · Red Team vs Pen Test · SOC 2 · ISO 27001 · HIPAA · Cloud IAM Escalation · API Security · Frida · Certificate Pinning · Compliance Consulting Topics: OWASP Top 10 · PCI DSS v4.0 · SSRF Chains · BOLA · iOS Pinning Bypass · Red Team vs Pen Test · SOC 2 · ISO 27001 · HIPAA · Cloud IAM Escalation · API Security · Frida · Certificate Pinning · Compliance Consulting
OW
Featured
Pen Testing Deep-Dive

OWASP Top 10 2021 → 2026: what actually changed in real engagements

Five years of OWASP data, mapped against hundreds of actual pen test findings. Broken Access Control still leads - but SSRF, injection, and insecure design have shifted in ways the updated list doesn't fully capture. Here's what we're actually finding in 2026.

April 2026 14 min read CyberFortify Research Read post →
Mobile Security

Bypassing certificate pinning on iOS in 2026 - Frida, Objection, KeychainItem

Rootless jailbreaks, TrustKit, Network.framework, and custom pinning implementations. A full walkthrough of every technique we use in mobile pen tests today - and what to do when Objection doesn't work.

April 2026 16 min read Read →
Cloud Security

SSRF → IMDSv2 → STS: the cloud privilege-escalation chain we still see weekly

The full attack chain: SSRF entry point to AWS metadata service to IAM credential theft to STS AssumeRole privilege escalation. With real request examples, Azure/GCP equivalents, and remediation that actually works.

April 2026 12 min read Read →
API Security

BOLA in REST APIs: why scanners miss the most common API1 finding

Object-level authorization failures are OWASP API Top 10 #1 for a reason - and automated scanners are structurally incapable of finding them. Here's how we test for BOLA manually, including GraphQL variants and compound key patterns.

April 2026 11 min read Read →
Compliance

PCI DSS v4.0 segmentation testing - what auditors now expect under 11.4.5

Requirement 11.4.5 tightened significantly in PCI DSS v4.0. QSAs now expect evidence that your segmentation controls actively prevent CDE-scope expansion. Here's what the test must cover, what auditors reject, and what a passing deliverable looks like.

April 2026 10 min read Read →
Strategy

Red team vs pen test: when each is wrong

The most expensive mistake in security procurement is buying the wrong engagement type. Pen tests that should have been red teams, red teams that should have been pen tests - and the questions that tell you which you actually need.

April 2026 9 min read Read →
Web App Security

Clickjacking attacks: how invisible iframes hijack user clicks - and how to stop them

Clickjacking (UI redressing) requires no malware and no XSS - just a transparent iframe and an authenticated session. Attack anatomy, six real variants, X-Frame-Options vs CSP frame-ancestors, frame busting bypasses, and a six-point prevention checklist.

April 2026 10 min read Read →
Pen Testing

Web application pen testing tools for evolving attack surfaces

SPAs, GraphQL, edge functions, AI-powered apps - the attack surface has changed. So has the toolchain. A practitioner's guide to the proxy tools, recon utilities, API testing rigs, and specialized scanners we use in 2026 engagements.

Nov 2025 13 min read Read →
Compliance

The link between compliance and protection: how cybersecurity consulting bridges the gap

Compliance gives you a documented security posture. Protection gives you an actual one. Most organisations discover the gap between them during a breach. Here's how consulting bridges it - and what a mature programme looks like when both are working.

Nov 2025 11 min read Read →
Compliance

How regulatory compliance consulting services can help your organisation

SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, FTC Safeguards, CMMC - the regulatory landscape compounds every year. What compliance consulting actually delivers, common mistakes that derail audits, and how to right-size the engagement for your maturity level.

Oct 2025 10 min read Read →
Partnership

Koop × CyberFortify: when compliance gets smart and security gets strong

Koop's automated compliance intelligence combined with CyberFortify's manual offensive security practice. Why automated GRC and manual pen testing aren't alternatives - they're a force multiplier when used together.

Nov 2025 8 min read Read →
Free Resource

Web Application Pentest Checklist - 2026 edition

156 test cases across pre-engagement, recon, authentication, authorization, injection, cryptography, API, business logic and reporting phases. Download the full PDF or browse the interactive version.

Always updated Free download Get checklist →

Ready for a real engagement?

Every post here is drawn from real pen test findings. When you're ready to test your own systems, our offensive security team will find what your scanners and automated tools miss.

Schedule scoping call →