How to prevent SQL injection: a developer's guide for 2026
SQL injection is still exploitable in 2026. Here is how it works, why parameterized queries are the real fix, and how to verify your app is actually safe.
May 30, 2026 · Pentrova Engineering
Blog
Page 1 of 3 · 28 posts
IDOR vs BOLA: the difference and how to test for both
IDOR and BOLA describe the same broken-access-control failure from different angles. Here is the precise difference and how to test for both.
May 28, 2026 · Pentrova Research
SSRF in 2026: exploiting cloud metadata and how to prevent it
Server-side request forgery still leads to cloud credential theft in 2026. How SSRF reaches the metadata service, why IMDSv2 helps, and how to prevent it.
May 26, 2026 · Pentrova Research
What is PTaaS? Penetration Testing as a Service explained
PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.
May 24, 2026 · Pentrova Research
Continuous penetration testing: what it is and how to implement it
Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.
May 22, 2026 · Pentrova Research
OWASP API Security Top 10 (2023): a practical guide with testing notes
A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.
May 20, 2026 · Pentrova Research
A day in the life of Pentrova: from confirmed chain to merged fix
Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.
May 18, 2026 · Pentrova Engineering
Where AI helps in a pentest — and where only evidence is allowed to decide
Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.
May 15, 2026 · Pentrova Research
From CVSS to evidence: why severity scores are not a triage oracle
CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.
May 12, 2026 · Pentrova Research
Attack-chain taxonomy 101: the five classes Pentrova organises coverage around
Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.
May 8, 2026 · Pentrova Engineering