Pentrova Engineering

Biography

Pentrova Engineering is the shared byline for posts about how the platform works — attack chains, the sandbox, coverage, integrations, and how findings are verified. Individual contributors are credited inside each post.

Linked profiles

• Pentrova Engineering on GitHub (github.com)
• Pentrova Engineering on LinkedIn (linkedin.com)
• Pentrova Engineering on X (Twitter) (x.com)

Posts by Pentrova Engineering

• How to prevent SQL injection: a developer's guide for 2026

  May 30, 2026

  SQL injection is still exploitable in 2026. Here is how it works, why parameterized queries are the real fix, and how to verify your app is actually safe.

• A day in the life of Pentrova: from confirmed chain to merged fix

  May 18, 2026

  Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.

• Attack-chain taxonomy 101: the five classes Pentrova organises coverage around

  May 8, 2026

  Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.

• Race condition testing playbook: finding TOCTOU bugs with burst traffic

  April 21, 2026

  A pragmatic race-condition testing playbook: identify state invariants, baseline a single request, fire a coordinated burst, and diff against the baseline.

• Canary patterns for window.name: tracking an overlooked DOM XSS source

  March 24, 2026

  window.name persists across navigations, making it a sneaky DOM XSS taint source. Here are the canary patterns that track it from ingress to sink.

• Why our sandbox never destructively exploits: proof without harm

  March 10, 2026

  Proving a system is vulnerable should never require breaking it. Here is how Pentrova's sealed sandbox demonstrates real impact without destructive actions.

• Verifier design notes: why the smallest component decides what is a finding

  March 3, 2026

  The verifier is the smallest component that decides whether a chain is a finding. Here is why minimal surface area is the right design for a trust boundary.

• Log4Shell chain replay: confirming CVE-2021-44228 with an out-of-band callback

  February 17, 2026

  How to confirm Log4Shell (CVE-2021-44228) with an out-of-band DNS callback instead of a pattern match, and replay the follow-on escalation chain safely.

• Compliance-mapped reports for HIPAA evidence collection

  January 27, 2026

  Replacing probability-scored findings with replayable PoC bundles shortens HIPAA and HITRUST evidence collection from weeks to days. Here is how.