https://pentstark.com/blog CVE analyses, TTP walkthroughs, and methodology deep-dives from PentStark. en-us Fri, 24 Apr 2026 06:21:58 GMT https://pentstark.com/blog/mcp-servers-are-the-new-vendor-risk https://pentstark.com/blog/mcp-servers-are-the-new-vendor-risk Wed, 22 Apr 2026 00:00:00 GMT noreply@pentstark.com (PentStark AI Research) AI Security Every MCP server you plug into your agent is a trust boundary. Here's how to audit them like the supply-chain risk they are. https://pentstark.com/blog/passkeys-enterprise-18-months-in https://pentstark.com/blog/passkeys-enterprise-18-months-in Sat, 18 Apr 2026 00:00:00 GMT noreply@pentstark.com (PentStark Red Team) Identity Five recurring attack paths we've found in enterprise passkey rollouts since they became table stakes. https://pentstark.com/blog/eu-ai-act-red-teaming https://pentstark.com/blog/eu-ai-act-red-teaming Wed, 15 Apr 2026 00:00:00 GMT noreply@pentstark.com (PentStark Compliance) Compliance Article 15 and 54a say you need cybersecurity and adversarial testing. Here's the engagement shape the first audit cycle accepted. https://pentstark.com/blog/ad-cs-esc1-misconfiguration https://pentstark.com/blog/ad-cs-esc1-misconfiguration Fri, 10 Apr 2026 00:00:00 GMT noreply@pentstark.com (PentStark Red Team) Active Directory How a single ManageCA + supplied-subject template got us to domain admin in 22 minutes. https://pentstark.com/blog/kubernetes-ingress-is-the-new-dmz https://pentstark.com/blog/kubernetes-ingress-is-the-new-dmz Fri, 03 Apr 2026 00:00:00 GMT noreply@pentstark.com (PentStark Cloud) Cloud Security Ingress controllers parse untrusted input, reach every service, and run privileged. They are a DMZ, not a detail. https://pentstark.com/blog/llm-tool-use-escalation https://pentstark.com/blog/llm-tool-use-escalation Sat, 28 Mar 2026 00:00:00 GMT noreply@pentstark.com (PentStark AI Research) AI Security A case study on bridging a benign prompt-injection primitive into full agent compromise. https://pentstark.com/blog/dora-ict-testing-first-cycle-lessons https://pentstark.com/blog/dora-ict-testing-first-cycle-lessons Fri, 20 Mar 2026 00:00:00 GMT noreply@pentstark.com (PentStark Compliance) Compliance What we learned running threat-led penetration tests under DORA Articles 26–27 across the first wave of 2026 audits. https://pentstark.com/blog/bola-across-microservices https://pentstark.com/blog/bola-across-microservices Thu, 12 Mar 2026 00:00:00 GMT noreply@pentstark.com (PentStark PTaaS) AppSec Why BOLA is the most under-tested flaw class in modern SaaS — and how we find it. https://pentstark.com/blog/lockfile-injection-supply-chain https://pentstark.com/blog/lockfile-injection-supply-chain Thu, 05 Mar 2026 00:00:00 GMT noreply@pentstark.com (PentStark Product Security) AppSec Pinning your lockfile is necessary but not sufficient. Here's the pattern attackers are using to slip past SCA tools. https://pentstark.com/blog/ransomware-ready-posture-check https://pentstark.com/blog/ransomware-ready-posture-check Fri, 20 Feb 2026 00:00:00 GMT noreply@pentstark.com (PentStark Red Team) Red Team A red-team scoping guide for boards asking 'are we ransomware-ready?' https://pentstark.com/blog/soc2-without-slowing-down https://pentstark.com/blog/soc2-without-slowing-down Wed, 04 Feb 2026 00:00:00 GMT noreply@pentstark.com (PentStark Compliance) Compliance Patterns for embedding evidence collection into your engineering workflow. https://pentstark.com/blog/ssdlc-shift-left-patterns https://pentstark.com/blog/ssdlc-shift-left-patterns Thu, 22 Jan 2026 00:00:00 GMT noreply@pentstark.com (PentStark Product Security) Product Security The three patterns that make product-security programs work — and the three that quietly kill them.