{"version":"https://jsonfeed.org/version/1.1","title":"Pentrova Blog","home_page_url":"https://pentrova.ai/blog","feed_url":"https://pentrova.ai/feed.json","description":"Latest posts from the Pentrova security research team.","language":"en-US","icon":"https://pentrova.ai/favicon.svg","favicon":"https://pentrova.ai/favicon.png","authors":[{"name":"Pentrova","url":"https://pentrova.ai"}],"items":[{"id":"https://pentrova.ai/blog/prevent-sql-injection-guide","url":"https://pentrova.ai/blog/prevent-sql-injection-guide","title":"How to prevent SQL injection: a developer's guide for 2026","summary":"SQL injection is still exploitable in 2026. Here is how it works, why parameterized queries are the real fix, and how to verify your app is actually safe.","content_text":"SQL injection is still exploitable in 2026. Here is how it works, why parameterized queries are the real fix, and how to verify your app is actually safe.","date_published":"2026-05-30T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["sqli","rce","best-practices","research"],"image":"https://pentrova.ai/og/prevent-sql-injection-guide.png"},{"id":"https://pentrova.ai/blog/idor-vs-bola","url":"https://pentrova.ai/blog/idor-vs-bola","title":"IDOR vs BOLA: the difference and how to test for both","summary":"IDOR and BOLA describe the same broken-access-control failure from different angles. Here is the precise difference and how to test for both.","content_text":"IDOR and BOLA describe the same broken-access-control failure from different angles. Here is the precise difference and how to test for both.","date_published":"2026-05-28T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["idor","bola","authz","research"],"image":"https://pentrova.ai/og/idor-vs-bola.png"},{"id":"https://pentrova.ai/blog/ssrf-cloud-metadata-2026","url":"https://pentrova.ai/blog/ssrf-cloud-metadata-2026","title":"SSRF in 2026: exploiting cloud metadata and how to prevent it","summary":"Server-side request forgery still leads to cloud credential theft in 2026. How SSRF reaches the metadata service, why IMDSv2 helps, and how to prevent it.","content_text":"Server-side request forgery still leads to cloud credential theft in 2026. How SSRF reaches the metadata service, why IMDSv2 helps, and how to prevent it.","date_published":"2026-05-26T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["ssrf","rce","chains","research"],"image":"https://pentrova.ai/og/ssrf-cloud-metadata-2026.png"},{"id":"https://pentrova.ai/blog/what-is-ptaas","url":"https://pentrova.ai/blog/what-is-ptaas","title":"What is PTaaS? Penetration Testing as a Service explained","summary":"PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.","content_text":"PTaaS (Penetration Testing as a Service) delivers pentesting as an always-on platform instead of a one-off engagement. Here is how it works and when to use it.","date_published":"2026-05-24T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["best-practices","getting-started","research"],"image":"https://pentrova.ai/og/what-is-ptaas.png"},{"id":"https://pentrova.ai/blog/continuous-penetration-testing","url":"https://pentrova.ai/blog/continuous-penetration-testing","title":"Continuous penetration testing: what it is and how to implement it","summary":"Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.","content_text":"Continuous penetration testing replaces the annual snapshot with always-on, release-gated coverage. Here is what it is, why it matters, and how to roll it out.","date_published":"2026-05-22T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["ci","ci-cd","best-practices","runbook"],"image":"https://pentrova.ai/og/continuous-penetration-testing.png"},{"id":"https://pentrova.ai/blog/owasp-api-security-top-10-guide","url":"https://pentrova.ai/blog/owasp-api-security-top-10-guide","title":"OWASP API Security Top 10 (2023): a practical guide with testing notes","summary":"A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.","content_text":"A practical walkthrough of the OWASP API Security Top 10 (2023) — what each risk means, how it shows up, and how to test for it with deterministic evidence.","date_published":"2026-05-20T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["openapi","bola","authz","best-practices","research"],"image":"https://pentrova.ai/og/owasp-api-security-top-10-guide.png"},{"id":"https://pentrova.ai/blog/interactive-demo-day-in-life","url":"https://pentrova.ai/blog/interactive-demo-day-in-life","title":"A day in the life of Pentrova: from confirmed chain to merged fix","summary":"Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.","content_text":"Walk through a realistic engagement — scope, scan, chain, bundle, fix — in the shape a platform engineer actually sees it, from morning digest to un-gated beta.","date_published":"2026-05-18T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["demo","product-updates","walkthrough"],"image":"https://pentrova.ai/og/interactive-demo-day-in-life.png"},{"id":"https://pentrova.ai/blog/llm-routing-pentest-agents","url":"https://pentrova.ai/blog/llm-routing-pentest-agents","title":"Where AI helps in a pentest — and where only evidence is allowed to decide","summary":"Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.","content_text":"Pentrova uses AI to decide what to test next, never to decide whether a finding is real. Here is where the boundary sits and why it builds trust.","date_published":"2026-05-15T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["llm","agents","research"],"image":"https://pentrova.ai/og/llm-routing-pentest-agents.png"},{"id":"https://pentrova.ai/blog/cvss-to-evidence","url":"https://pentrova.ai/blog/cvss-to-evidence","title":"From CVSS to evidence: why severity scores are not a triage oracle","summary":"CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.","content_text":"CVSS estimates severity; evidence confirms impact. Here is what changes in vulnerability triage when the report leads with proof instead of a score.","date_published":"2026-05-12T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["cvss","research","poc"],"image":"https://pentrova.ai/og/cvss-to-evidence.png"},{"id":"https://pentrova.ai/blog/attack-chain-taxonomy-101","url":"https://pentrova.ai/blog/attack-chain-taxonomy-101","title":"Attack-chain taxonomy 101: the five classes Pentrova organises coverage around","summary":"Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.","content_text":"Pentrova groups attack chains into five classes so teams fix them faster. Here are the classes, why they beat a flat CVSS list, and how each maps to coverage.","date_published":"2026-05-08T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["taxonomy","chains","research"],"image":"https://pentrova.ai/og/attack-chain-taxonomy-101.png"},{"id":"https://pentrova.ai/blog/openapi-lint-missing-security","url":"https://pentrova.ai/blog/openapi-lint-missing-security","title":"OpenAPI lint: the missing security scheme that makes every endpoint look public","summary":"The most common OpenAPI mistake is a perfectly described API with no security scheme on any operation. Here is why it matters and how to fix the drift.","content_text":"The most common OpenAPI mistake is a perfectly described API with no security scheme on any operation. Here is why it matters and how to fix the drift.","date_published":"2026-05-05T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["openapi","research","best-practices"],"image":"https://pentrova.ai/og/openapi-lint-missing-security.png"},{"id":"https://pentrova.ai/blog/choosing-targets-for-your-first-scan","url":"https://pentrova.ai/blog/choosing-targets-for-your-first-scan","title":"Choosing targets for your first Pentrova scan: environment, application, and scope","summary":"A practical guide to picking the right application, environment, and scope for your first deterministic pentest — and what a good first report looks like.","content_text":"A practical guide to picking the right application, environment, and scope for your first deterministic pentest — and what a good first report looks like.","date_published":"2026-04-28T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["getting-started","scope","best-practices"],"image":"https://pentrova.ai/og/choosing-targets-for-your-first-scan.png"},{"id":"https://pentrova.ai/blog/race-condition-playbook","url":"https://pentrova.ai/blog/race-condition-playbook","title":"Race condition testing playbook: finding TOCTOU bugs with burst traffic","summary":"A pragmatic race-condition testing playbook: identify state invariants, baseline a single request, fire a coordinated burst, and diff against the baseline.","content_text":"A pragmatic race-condition testing playbook: identify state invariants, baseline a single request, fire a coordinated burst, and diff against the baseline.","date_published":"2026-04-21T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["race-condition","playbook","research"],"image":"https://pentrova.ai/og/race-condition-playbook.png"},{"id":"https://pentrova.ai/blog/authorization-matrix-walkthrough","url":"https://pentrova.ai/blog/authorization-matrix-walkthrough","title":"Authorization Matrix walkthrough: finding BOLA in a real API","summary":"A step-by-step walkthrough of how the Authorization Matrix models roles, captures reference responses, and flags cross-tenant BOLA leaks.","content_text":"A step-by-step walkthrough of how the Authorization Matrix models roles, captures reference responses, and flags cross-tenant BOLA leaks.","date_published":"2026-04-14T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["authorization-matrix","bola","walkthrough","authz"],"image":"https://pentrova.ai/og/authorization-matrix-walkthrough.png"},{"id":"https://pentrova.ai/blog/xxe-to-ssrf-doctype","url":"https://pentrova.ai/blog/xxe-to-ssrf-doctype","title":"XXE to SSRF via DOCTYPE: exploiting and preventing XML external entity attacks","summary":"XML external entity injection does not stop at file reads. Here is how the XXE-to-SSRF chain works through DOCTYPE and how to prevent it.","content_text":"XML external entity injection does not stop at file reads. Here is how the XXE-to-SSRF chain works through DOCTYPE and how to prevent it.","date_published":"2026-04-07T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["xxe","ssrf","chains","research"],"image":"https://pentrova.ai/og/xxe-to-ssrf-doctype.png"},{"id":"https://pentrova.ai/blog/replayverifier-internals","url":"https://pentrova.ai/blog/replayverifier-internals","title":"Verifier internals: the three stages that close the proof loop","summary":"A walk through the three-stage verifier that turns a candidate exploit into a replayable, hash-verified PoC bundle: clean-session replay, byte diff, bundle.","content_text":"A walk through the three-stage verifier that turns a candidate exploit into a replayable, hash-verified PoC bundle: clean-session replay, byte diff, bundle.","date_published":"2026-03-31T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["replayverifier","internals","poc"],"image":"https://pentrova.ai/og/replayverifier-internals.png"},{"id":"https://pentrova.ai/blog/canary-patterns-window-name","url":"https://pentrova.ai/blog/canary-patterns-window-name","title":"Canary patterns for window.name: tracking an overlooked DOM XSS source","summary":"window.name persists across navigations, making it a sneaky DOM XSS taint source. Here are the canary patterns that track it from ingress to sink.","content_text":"window.name persists across navigations, making it a sneaky DOM XSS taint source. Here are the canary patterns that track it from ingress to sink.","date_published":"2026-03-24T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["xss","dom","research","canary"],"image":"https://pentrova.ai/og/canary-patterns-window-name.png"},{"id":"https://pentrova.ai/blog/ci-gated-pentest-runbook","url":"https://pentrova.ai/blog/ci-gated-pentest-runbook","title":"CI-gated pentest runbook: moving from quarterly tests to release-gated chains","summary":"A pragmatic runbook for moving from quarterly penetration tests to continuous, release-gated exploit chains — scope, gating rules, and ownership.","content_text":"A pragmatic runbook for moving from quarterly penetration tests to continuous, release-gated exploit chains — scope, gating rules, and ownership.","date_published":"2026-03-17T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["ci","ci-cd","runbook","best-practices"],"image":"https://pentrova.ai/og/ci-gated-pentest-runbook.png"},{"id":"https://pentrova.ai/blog/sandboxvalidator-never-destructive","url":"https://pentrova.ai/blog/sandboxvalidator-never-destructive","title":"Why our sandbox never destructively exploits: proof without harm","summary":"Proving a system is vulnerable should never require breaking it. Here is how Pentrova's sealed sandbox demonstrates real impact without destructive actions.","content_text":"Proving a system is vulnerable should never require breaking it. Here is how Pentrova's sealed sandbox demonstrates real impact without destructive actions.","date_published":"2026-03-10T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["sandbox","poc","internals"],"image":"https://pentrova.ai/og/sandboxvalidator-never-destructive.png"},{"id":"https://pentrova.ai/blog/replayverifier-design-notes","url":"https://pentrova.ai/blog/replayverifier-design-notes","title":"Verifier design notes: why the smallest component decides what is a finding","summary":"The verifier is the smallest component that decides whether a chain is a finding. Here is why minimal surface area is the right design for a trust boundary.","content_text":"The verifier is the smallest component that decides whether a chain is a finding. Here is why minimal surface area is the right design for a trust boundary.","date_published":"2026-03-03T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["architecture","replayverifier","internals"],"image":"https://pentrova.ai/og/replayverifier-design-notes.png"},{"id":"https://pentrova.ai/blog/static-vs-dynamic-chains","url":"https://pentrova.ai/blog/static-vs-dynamic-chains","title":"Curated vs dynamic attack chains: two ways to compose impact, one evidence bar","summary":"Pentrova's curated escalation catalog and the dynamic chains it builds at scan time are held to the same evidence standard. Here is how they differ and combine.","content_text":"Pentrova's curated escalation catalog and the dynamic chains it builds at scan time are held to the same evidence standard. Here is how they differ and combine.","date_published":"2026-02-24T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["chains","research","llm"],"image":"https://pentrova.ai/og/static-vs-dynamic-chains.png"},{"id":"https://pentrova.ai/blog/log4shell-chain-replay","url":"https://pentrova.ai/blog/log4shell-chain-replay","title":"Log4Shell chain replay: confirming CVE-2021-44228 with an out-of-band callback","summary":"How to confirm Log4Shell (CVE-2021-44228) with an out-of-band DNS callback instead of a pattern match, and replay the follow-on escalation chain safely.","content_text":"How to confirm Log4Shell (CVE-2021-44228) with an out-of-band DNS callback instead of a pattern match, and replay the follow-on escalation chain safely.","date_published":"2026-02-17T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["log4shell","chains","research","rce"],"image":"https://pentrova.ai/og/log4shell-chain-replay.png"},{"id":"https://pentrova.ai/blog/bola-hunting-microservices","url":"https://pentrova.ai/blog/bola-hunting-microservices","title":"BOLA hunting in microservices: how to find broken object-level authorization at scale","summary":"Broken object-level authorization (BOLA) only appears when two roles touch the same object. Here is how multi-role replay catches it at scale.","content_text":"Broken object-level authorization (BOLA) only appears when two roles touch the same object. Here is how multi-role replay catches it at scale.","date_published":"2026-02-10T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["bola","authz","research","authorization-matrix"],"image":"https://pentrova.ai/og/bola-hunting-microservices.png"},{"id":"https://pentrova.ai/blog/dom-xss-canary-tainting","url":"https://pentrova.ai/blog/dom-xss-canary-tainting","title":"Canary-based taint tracking for DOM XSS: catching client-side bugs static analysis misses","summary":"How canary-based taint tracking tags every DOM ingress channel and watches a broad sink surface to catch DOM XSS that static analysis and reflection scans miss.","content_text":"How canary-based taint tracking tags every DOM ingress channel and watches a broad sink surface to catch DOM XSS that static analysis and reflection scans miss.","date_published":"2026-02-03T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["xss","dom","research","canary"],"image":"https://pentrova.ai/og/dom-xss-canary-tainting.png"},{"id":"https://pentrova.ai/blog/hipaa-deterministic-proof","url":"https://pentrova.ai/blog/hipaa-deterministic-proof","title":"Compliance-mapped reports for HIPAA evidence collection","summary":"Replacing probability-scored findings with replayable PoC bundles shortens HIPAA and HITRUST evidence collection from weeks to days. Here is how.","content_text":"Replacing probability-scored findings with replayable PoC bundles shortens HIPAA and HITRUST evidence collection from weeks to days. Here is how.","date_published":"2026-01-27T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Engineering"}],"tags":["compliance","hipaa","best-practices"],"image":"https://pentrova.ai/og/hipaa-deterministic-proof.png"},{"id":"https://pentrova.ai/blog/oauth2-replay-attack-primer","url":"https://pentrova.ai/blog/oauth2-replay-attack-primer","title":"OAuth 2.0 replay attacks: authorization-code interception, missing PKCE, and how to test","summary":"A practical primer on OAuth 2.0 replay attacks — authorization-code interception, missing PKCE, and state-parameter gaps — with deterministic testing.","content_text":"A practical primer on OAuth 2.0 replay attacks — authorization-code interception, missing PKCE, and state-parameter gaps — with deterministic testing.","date_published":"2026-01-20T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["oauth2","oauth","research","authz"],"image":"https://pentrova.ai/og/oauth2-replay-attack-primer.png"},{"id":"https://pentrova.ai/blog/llm-driven-exploit-chains","url":"https://pentrova.ai/blog/llm-driven-exploit-chains","title":"How Pentrova turns single bugs into exploit chains","summary":"Chains, not isolated findings, tell you whether an attacker can reach something that matters. Here is how Pentrova composes findings into proven impact.","content_text":"Chains, not isolated findings, tell you whether an attacker can reach something that matters. Here is how Pentrova composes findings into proven impact.","date_published":"2026-01-13T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["chains","llm","research"],"image":"https://pentrova.ai/og/llm-driven-exploit-chains.png"},{"id":"https://pentrova.ai/blog/deterministic-poc-over-probabilistic-scans","url":"https://pentrova.ai/blog/deterministic-poc-over-probabilistic-scans","title":"Deterministic proof beats probabilistic CVSS: why replayable exploits change triage","summary":"Replayable exploit bundles change triage economics more than any severity score. Here is why deterministic proof beats probabilistic CVSS.","content_text":"Replayable exploit bundles change triage economics more than any severity score. Here is why deterministic proof beats probabilistic CVSS.","date_published":"2026-01-06T00:00:00.000Z","date_modified":"2026-05-31T00:00:00.000Z","authors":[{"name":"Pentrova Research"}],"tags":["research","poc","cvss","replayverifier"],"image":"https://pentrova.ai/og/deterministic-poc-over-probabilistic-scans.png"}]}