Notes

Blog

Technical write-ups. No product pitch, just the work.

• 2026-06-03 · Pricing

  How much does a startup pentest cost in Europe?

  From pricing signals to what actually moves the number for B2B SaaS.

• 2026-05-31 · AI red teaming

  Claude Mythos AI security: what SaaS CTOs need to fix before public release

  Claude Mythos found 10,000 critical vulnerabilities in one month of restricted testing. What it means for multi-tenant SaaS security and which authorization flaws to audit first.

• 2026-05-27 · AI red teaming

  AI agent identity security: why your SaaS product needs a new budget line

  Most SaaS companies fund AI agent identity security from the wrong budget. Here is what it actually costs and how to plan for it.

• 2026-05-22 · AI red teaming

  AI agent framework security: Claw Chain vulnerabilities and agentic AI risks

  What the Claw Chain vulnerabilities in OpenClaw reveal about AI agent attack surfaces, and what SaaS teams should be testing before they ship.

• 2026-05-14 · Pentest process

  What does a web app pentest include for a SaaS company?

  Deliverables, common coverage, and the difference between tiers in plain language.

• 2026-04-30 · Pentest process

  How Long Does a Startup Pentest Take?

  Scoping, calendar time, and what the typical windows look like for SaaS teams.

• 2026-04-29 · Compliance

  Do I Need a Pentest Before SOC 2?

  What auditors expect, when a pentest is in scope, and what you can de-risk without a full test.

• 2026-04-28 · Application security

  After CVE-2025-29927: the Next.js auth patterns that survived the patch

  CVE-2025-29927 is patched. Three specific Next.js auth patterns it exposed are not. How to audit your own app for each one.