Research
Field reports from offensive security.
Exploit walkthroughs, deterministic-proof essays, and platform notes from the Pentrova research team. Posts marked Sample use placeholder research while editorial reviews the byline.
Featured post
Browse by topic
Guides
Start with the fundamentals
Evergreen explainers and comparisons on automated penetration testing — the place to start before the research archive below.
-
Guide
What is automated penetration testing?
How AI-driven pentesting works, how it differs from DAST scanning, and when continuous PTaaS replaces a manual pentest.
Read the guide -
Comparison
Automated vs manual penetration testing
Speed, coverage, cost, exploit validation, and false positives compared — and where automated PTaaS fits.
Compare approaches
Archive
All writing
25 earlier posts
-
9 min
What is PTaaS? Penetration Testing as a Service explained
PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.
- best-practices
- getting-started
Pentrova ResearchRead -
10 min
Continuous penetration testing: what it is and how to implement it
Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.
- ci
- ci-cd
Pentrova ResearchRead -
11 min
OWASP API Security Top 10 (2023): a practical guide with testing notes
A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.
- openapi
- bola
Pentrova ResearchRead -
5 minSample
A day in the life of Pentrova: from confirmed chain to merged fix
Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.
- demo
- product-updates
Pentrova EngineeringRead -
6 minSample
Where AI helps in a pentest — and where only evidence is allowed to decide
Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.
- llm
- agents
Pentrova ResearchRead -
6 minSample
From CVSS to evidence: why severity scores are not a triage oracle
CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.
- cvss
- research
Pentrova ResearchRead -
6 min
Attack-chain taxonomy 101: the five classes Pentrova organises coverage around
Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.
- taxonomy
- chains
Pentrova EngineeringRead -
6 minSample
OpenAPI lint: the missing security scheme that makes every endpoint look public
The most common OpenAPI mistake is a perfectly described API with no security scheme on any operation. Here is why it matters and how to fix the drift.
- openapi
- research
Pentrova ResearchRead -
7 minSample
Choosing targets for your first Pentrova scan: environment, application, and scope
A practical guide to picking the right application, environment, and scope for your first deterministic pentest — and what a good first report looks like.
- getting-started
- scope
Pentrova ResearchRead -
8 minSample
Race condition testing playbook: finding TOCTOU bugs with burst traffic
A pragmatic race-condition testing playbook: identify state invariants, baseline a single request, fire a coordinated burst, and diff against the baseline.
- race-condition
- playbook
Pentrova EngineeringRead -
7 minSample
Authorization Matrix walkthrough: finding BOLA in a real API
A step-by-step walkthrough of how the Authorization Matrix models roles, captures reference responses, and flags cross-tenant BOLA leaks.
- authorization-matrix
- bola
Pentrova ResearchRead -
8 minSample
XXE to SSRF via DOCTYPE: exploiting and preventing XML external entity attacks
XML external entity injection does not stop at file reads. Here is how the XXE-to-SSRF chain works through DOCTYPE and how to prevent it.
- xxe
- ssrf
Pentrova ResearchRead -
7 min
Verifier internals: the three stages that close the proof loop
A walk through the three-stage verifier that turns a candidate exploit into a replayable, hash-verified PoC bundle: clean-session replay, byte diff, bundle.
- replayverifier
- internals
Pentrova ResearchRead -
6 minSample
Canary patterns for window.name: tracking an overlooked DOM XSS source
window.name persists across navigations, making it a sneaky DOM XSS taint source. Here are the canary patterns that track it from ingress to sink.
- xss
- dom
Pentrova EngineeringRead -
8 minSample
CI-gated pentest runbook: moving from quarterly tests to release-gated chains
A pragmatic runbook for moving from quarterly penetration tests to continuous, release-gated exploit chains — scope, gating rules, and ownership.
- ci
- ci-cd
Pentrova ResearchRead -
6 minSample
Why our sandbox never destructively exploits: proof without harm
Proving a system is vulnerable should never require breaking it. Here is how Pentrova's sealed sandbox demonstrates real impact without destructive actions.
- sandbox
- poc
Pentrova EngineeringRead -
6 min
Verifier design notes: why the smallest component decides what is a finding
The verifier is the smallest component that decides whether a chain is a finding. Here is why minimal surface area is the right design for a trust boundary.
- architecture
- replayverifier
Pentrova EngineeringRead -
6 minSample
Curated vs dynamic attack chains: two ways to compose impact, one evidence bar
Pentrova's curated escalation catalog and the dynamic chains it builds at scan time are held to the same evidence standard. Here is how they differ and combine.
- chains
- research
Pentrova ResearchRead -
7 minSample
Log4Shell chain replay: confirming CVE-2021-44228 with an out-of-band callback
How to confirm Log4Shell (CVE-2021-44228) with an out-of-band DNS callback instead of a pattern match, and replay the follow-on escalation chain safely.
- log4shell
- chains
Pentrova EngineeringRead -
8 minSample
BOLA hunting in microservices: how to find broken object-level authorization at scale
Broken object-level authorization (BOLA) only appears when two roles touch the same object. Here is how multi-role replay catches it at scale.
- bola
- authz
Pentrova ResearchRead -
8 minSample
Canary-based taint tracking for DOM XSS: catching client-side bugs static analysis misses
How canary-based taint tracking tags every DOM ingress channel and watches a broad sink surface to catch DOM XSS that static analysis and reflection scans miss.
- xss
- dom
Pentrova ResearchRead -
7 minSample
Compliance-mapped reports for HIPAA evidence collection
Replacing probability-scored findings with replayable PoC bundles shortens HIPAA and HITRUST evidence collection from weeks to days. Here is how.
- compliance
- hipaa
Pentrova EngineeringRead -
7 minSample
OAuth 2.0 replay attacks: authorization-code interception, missing PKCE, and how to test
A practical primer on OAuth 2.0 replay attacks — authorization-code interception, missing PKCE, and state-parameter gaps — with deterministic testing.
- oauth2
- oauth
Pentrova ResearchRead -
8 minSample
How Pentrova turns single bugs into exploit chains
Chains, not isolated findings, tell you whether an attacker can reach something that matters. Here is how Pentrova composes findings into proven impact.
- chains
- llm
Pentrova ResearchRead -
7 minSample
Deterministic proof beats probabilistic CVSS: why replayable exploits change triage
Replayable exploit bundles change triage economics more than any severity score. Here is why deterministic proof beats probabilistic CVSS.
- research
- poc
Pentrova ResearchRead