Resources
Writing from the trenches.
Checklists, teardowns, and honest field notes from CAASLABS engagements. No fluff, no vendor-speak, no pivot tables from the marketing team.
33 results
- Penetration Testing 12 min read
What to Expect from a Penetration Test (And How to Prepare)
A buyer's guide to penetration testing — what scope, rules of engagement, and deliverables actually mean, how to read a report, what to fix first, and how to tell a real pentest from a vulnerability scan with a logo on it.
- Penetration Testing 15 min read
Threat Modeling a Real System: A STRIDE Walkthrough on a Realistic Stack
An end-to-end STRIDE threat model on a realistic web app + API + RAG + cloud architecture. Trust boundaries, data flow diagrams, threat enumeration, and the prioritization framework we use to decide what to fix first.
- DevSecOps 12 min read
SBOMs for Teams Getting Asked for One: A Practical Guide
A practical guide to software bills of materials — SPDX vs CycloneDX, generating them with Syft, scanning with Grype, signing them with cosign, where to store them, and what enterprise customers actually do with them.
- AI Security 14 min read
Prompt Injection Defense Patterns That Actually Work (And the Ones That Don't)
Defender's companion to the AI Red Team Playbook. Input filtering, output sanitization, dual-LLM patterns, capability sandboxing, and the defenses that keep failing in audits.
- DevSecOps 14 min read
axios@1.14.1 and axios@0.30.4 Compromised: Inside the npm Supply-Chain Attack
A technical teardown of the March 2026 axios npm supply-chain compromise — versions 1.14.1 and 0.30.4 published from a hijacked maintainer account, the malicious plain-crypto-js@4.2.1 postinstall RAT, IOCs, attribution to Sapphire Sleet / UNC1069, and what to do if you pulled a bad version.
- Cloud Security 13 min read
Zero Trust Without the Vendor Pitch: A Pragmatic Roadmap
What Zero Trust actually means in practice for a real engineering org — the five things to ship first, what to ignore, how to sequence the work, and how to talk about it with leadership without using buzzwords.