Security insights and practical perspective

How a poisoned VS Code extension led to GitHub's May 2026 internal repository breach, the chain of connected companies compromised by TeamPCP, and the controls that actually reduce developer supply chain risk.

What CVE-2026-44578 reveals about how server-side request forgery still slips into web frameworks, where it bites hardest, and how to defend beyond patching.

Why CVSS base scores create noise, what CVSS 4.0 changes, and how to combine CVSS with KEV and EPSS for defensible vulnerability prioritisation.

How the CISA KEV catalogue transforms vulnerability prioritisation, where it fits alongside EPSS and CVSS, and a simple defensible workflow.

Understand the factors that determine how often to schedule penetration tests, including compliance requirements, organisational complexity and change frequency.

Learn how external and internal penetration tests differ, what each aims to uncover, and why both are essential to a comprehensive security programme.

Why APIs fail differently to web apps, the OWASP API issues that keep surfacing in 2026, and what a credible API security baseline looks like.

How attackers map your internet-facing assets, the entry points they most often exploit, and the small set of changes that meaningfully reduce risk.

A practical guide to evaluating penetration test reports — what good reporting contains, what to ignore, and how to judge quality from the first three pages.

The UK ransomware payment ban, notification regime and mandatory reporting requirements explained — plus the controls that materially reduce impact.

Why password complexity rules fail against modern Active Directory attacks, how AD compromise actually unfolds, and the controls that genuinely reduce risk.

Why SaaS organisations need focused penetration testing across applications, APIs, cloud platforms, identity systems and multi-tenant architecture.

A practical guide to help organisations prepare for penetration testing engagements, including scoping, documentation, rules of engagement and scheduling.

An evidence‑based walkthrough of a well‑run penetration test, covering pre‑engagement planning, discovery, exploitation, reporting and retesting.

Penetration testing and vulnerability scanning serve different purposes. A clear, practical guide to what each delivers, where each falls short, and how to choose the right mix.