← Blog · Cluster · Practitioner deep dives

AppSec field guide

OWASP, in practice. Concrete patterns, real-world finding write-ups, and what fixes actually survive contact with production.

Jul 11, 2026

CyberGrid publishes State of SaaS Security 2026 — quarterly industry report

Independent security-and-compliance practice known for flat-fee penetration testing publishes its quarterly report on 186 public SaaS companies. Report finds 61 percent still ship without a Content-Security-Policy despite near-universal TLS 1.3 adoption.

4 MIN →
Jul 11, 2026

The five-line CSP rollout that actually works

Ship Content-Security-Policy in three steps: report-only for two weeks, inventory the violations, then enforce. The specific header values, the exact endpoint you need, and the three violation categories to expect.

2 MIN →
Jul 11, 2026

The State of SaaS Security 2026 — what 186 company scans reveal

We ran a public-posture snapshot against 186 SaaS companies — from Stripe and Twilio down to niche verticals — and graded them on HTTPS, TLS, security headers, and stack disclosure. The headline: TLS is a solved problem, headers are a mess, and the surface tells only part of the story.

12 MIN →
May 30, 2026

IDOR: the bug class that keeps killing SaaS startups

Broken object-level authorization is the most common critical finding in SaaS pen tests in 2026. Here's why it happens, how to find it, and the patterns that fix it for good.

8 MIN →
May 25, 2026

Security headers cheat sheet for 2026

What each security header actually does, what value to set, and why most CSP rollouts fail (and how to do it without breaking the site).

6 MIN →
May 22, 2026

A working dependency-CVE strategy that doesn't drown your team

How to triage dependency vulnerabilities so you fix what actually matters, ignore what doesn't, and stop your security backlog from drowning the team.

6 MIN →