Pentrova Research

Biography

Pentrova Research is the shared byline for multi-author blog posts, original threat research, and platform write-ups produced by the Pentrova research and engineering teams. Individual contributors are credited inside each post.

Linked profiles

• Pentrova Research on GitHub (github.com)
• Pentrova Research on LinkedIn (linkedin.com)
• Pentrova Research on X (Twitter) (x.com)

Posts by Pentrova Research

• IDOR vs BOLA: the difference and how to test for both

  May 28, 2026

  IDOR and BOLA describe the same broken-access-control failure from different angles. Here is the precise difference and how to test for both.

• SSRF in 2026: exploiting cloud metadata and how to prevent it

  May 26, 2026

  Server-side request forgery still leads to cloud credential theft in 2026. How SSRF reaches the metadata service, why IMDSv2 helps, and how to prevent it.

• What is PTaaS? Penetration Testing as a Service explained

  May 24, 2026

  PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.

• Continuous penetration testing: what it is and how to implement it

  May 22, 2026

  Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.

• OWASP API Security Top 10 (2023): a practical guide with testing notes

  May 20, 2026

  A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.

• Where AI helps in a pentest — and where only evidence is allowed to decide

  May 15, 2026

  Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.

• From CVSS to evidence: why severity scores are not a triage oracle

  May 12, 2026

  CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.

• OpenAPI lint: the missing security scheme that makes every endpoint look public

  May 5, 2026

  The most common OpenAPI mistake is a perfectly described API with no security scheme on any operation. Here is why it matters and how to fix the drift.

• Choosing targets for your first Pentrova scan: environment, application, and scope

  April 28, 2026

  A practical guide to picking the right application, environment, and scope for your first deterministic pentest — and what a good first report looks like.

• Authorization Matrix walkthrough: finding BOLA in a real API

  April 14, 2026

  A step-by-step walkthrough of how the Authorization Matrix models roles, captures reference responses, and flags cross-tenant BOLA leaks.

• XXE to SSRF via DOCTYPE: exploiting and preventing XML external entity attacks

  April 7, 2026

  XML external entity injection does not stop at file reads. Here is how the XXE-to-SSRF chain works through DOCTYPE and how to prevent it.

• Verifier internals: the three stages that close the proof loop

  March 31, 2026

  A walk through the three-stage verifier that turns a candidate exploit into a replayable, hash-verified PoC bundle: clean-session replay, byte diff, bundle.

• CI-gated pentest runbook: moving from quarterly tests to release-gated chains

  March 17, 2026

  A pragmatic runbook for moving from quarterly penetration tests to continuous, release-gated exploit chains — scope, gating rules, and ownership.

• Curated vs dynamic attack chains: two ways to compose impact, one evidence bar

  February 24, 2026

  Pentrova's curated escalation catalog and the dynamic chains it builds at scan time are held to the same evidence standard. Here is how they differ and combine.

• BOLA hunting in microservices: how to find broken object-level authorization at scale

  February 10, 2026

  Broken object-level authorization (BOLA) only appears when two roles touch the same object. Here is how multi-role replay catches it at scale.

• Canary-based taint tracking for DOM XSS: catching client-side bugs static analysis misses

  February 3, 2026

  How canary-based taint tracking tags every DOM ingress channel and watches a broad sink surface to catch DOM XSS that static analysis and reflection scans miss.

• OAuth 2.0 replay attacks: authorization-code interception, missing PKCE, and how to test

  January 20, 2026

  A practical primer on OAuth 2.0 replay attacks — authorization-code interception, missing PKCE, and state-parameter gaps — with deterministic testing.

• How Pentrova turns single bugs into exploit chains

  January 13, 2026

  Chains, not isolated findings, tell you whether an attacker can reach something that matters. Here is how Pentrova composes findings into proven impact.

• Deterministic proof beats probabilistic CVSS: why replayable exploits change triage

  January 6, 2026

  Replayable exploit bundles change triage economics more than any severity score. Here is why deterministic proof beats probabilistic CVSS.