Blog

Blog

Welcome to the Blog.

Recon Pipeline with Unix Tools

2026-02-22

Recon tooling has exploded, but many workflows are still stronger when built from composable Unix primitives instead of a single monolithic scanner. The reason is control: you can tune each step, inspect intermediate data, and adapt quickly when targets or scope constraints change.

A practical recon pipeline is not about running every tool. It is about building trustworthy data flow: ... continue

Giant Log Lenses: Testing Wide Content

2026-02-22

When dashboards hide detail, I still go back to raw logs and text-first tools.
This short note is intentionally built as a rendering stress test: some code lines are much wider than the article window to verify horizontal scrolling behavior. The examples are realistic enough to copy, but the primary goal is visual QA for long literals, long command chains, and dense tabular output.

1

rg --no-heading --line-number --color=never "timeout|connection reset|tls handshake|upstream prematurely closed" ./logs/production/edge/*.log | jq -R 'split(":") | {file:.[0], line:(.[1]|tonumber), message:(.[2:]|join(":"))}' | awk 'BEGIN{FS="|"} {printf "%-42s | L%-6s | %s\n",$1,$2,$3}' | sort -k1,1 -k2,2n

2-liner (wide structured print)

1
2

rows=[{"ts":"2026-02-22T04:31:55Z","service":"api-gateway-eu-central-1-prod-blue","endpoint":"/v1/orders/checkout/recalculate-shipping-and-tax","latency_ms":912,"trace":"9f58b69b2d7d4a21a3f17d5e4f7a0112"}]
print("\n".join(f"{r['ts']} | {r['service']:<36} | {r['latency_ms']:>4}ms | {r['endpoint']} | trace={r['trace']}" for r in rows))

4-liner (wide payload path)

1
2
3
4

const payload = {tenant:"northwind-enterprise-platform",env:"production-eu-central-1",featureFlags:["long-session-replay-streaming","websocket-fallback-polling","incremental-checkpoint-serializer-v2"],meta:{requestId:"4b1d3be8fd7e4ad6a9f8c71e2bbf9a44",userAgent:"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 Chrome/124.0.0.0 Safari/537.36"}};
const digest = btoa(JSON.stringify(payload)).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"");
const url = `https://collector.example.internal/v2/telemetry/ingest/really/long/path/that/keeps/going?tenant=${payload.tenant}&env=${payload.env}&digest=${digest}`;
fetch(url,{method:"POST",headers:{"content-type":"application/json","x-trace-id":"4b1d3be8fd7e4ad6a9f8c71e2bbf9a44"},body:JSON.stringify(payload)});

Wide table sample

Service Endpoint Example Artifact Notes
api-gateway-eu-central-1-prod-blue /v1/orders/checkout/recalculate-shipping-and-tax trace=9f58b69b2d7d4a21a3f17d5e4f7a0112;span=7e5b57e0f9c04a9d;attempt=03;zone=eu-central-1b Extra-wide row to force horizontal overflow
realtime-session-broker /ws/connect/tenant/northwind-enterprise-platform/client/web-desktop-legacy-fallback wss://rt.example.internal/ws/connect/tenant/northwind-enterprise-platform/client/web-desktop-legacy-fallback?resumeToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... Long URL + token-like payload

If this article behaves correctly, code blocks and tables stay on one logical line and can be scrolled horizontally without breaking the text grid style. ... continue

Building Repeatable Triage Kits

2026-02-22

Security triage often fails for a boring reason: every analyst starts from a different local setup. Different aliases, different tool versions, different output assumptions, different artifact paths. The result is inconsistent decisions and hard-to-compare findings.

A repeatable triage kit solves this by packaging workflow, not just binaries. ... continue

Threat Modeling in the Small

2026-02-22

When people hear “threat modeling,” they often imagine a conference room, a wall of sticky notes, and an enterprise architecture diagram no single human fully understands. That can be useful, but it can also become theater. Most practical security wins come from smaller, tighter loops: one feature, one API path, one cron job, one queue consumer, one admin screen.

I call this “threat modeling in the small.” The goal is not to produce a perfect model. The goal is to make one change safer this week without slowing delivery into paralysis. ... continue

Security Findings as Design Feedback

2026-02-22

Security reports are often treated as defect inventories: patch issue, close ticket, move on. That workflow is necessary, but it is incomplete. Many findings are not isolated mistakes; they are design feedback about how a system creates, hides, or amplifies risk. Teams that only chase individual fixes improve slowly. Teams that read findings as architecture signals improve compoundingly.

A useful reframing is to ask, for each vulnerability: what design decision made this class of bug easy to introduce and hard to detect? The answer is frequently broader than the code diff. Weak trust boundaries, inconsistent authorization checks, ambiguous ownership of validation, and hidden data flows are structural causes. Fixing one endpoint without changing those structures guarantees recurrence. ... continue