FN FIELD NOTES · UPDATED WEEKLY

Writeups from the team that actually breaks in, not the team that talks about it.

No thought leadership. No "10 trends for 2026." Just working notes — the bug we caught yesterday, the chain we built last sprint, the parser quirk that paid out, the toolchain we re-wired after a client engagement.

If a post lands here, it's because someone on the bench learned something worth sharing. Filter by tag, or scroll the lot.

3posts published

11topic tags

0sponsored posts, ever

new writeup

published today

reviewed by 3 operators

before going live

THE LOG

All writeups, newest first.

3 of 3 posts

22 APR 2026

CPaaS Webhook Security

Managed bug bounty playbook for CPaaS webhook and API security. Outbound fetcher SSRF, HMAC replay, inbound DLR and MO abuse, cross-tenant routing, secret leakage, idempotency bugs, PII in callbacks.

webhook security API security CPaaS SSRF HMAC managed bug bounty

13 MAR 2025

Broken Authentication

Broken Authentication manual testing guide

broken authentication 2FA OAuth

15 JAN 2025

JS Obfuscation

Why it exists, how it works, and how to tear it apart — string encoding, control flow flattening, eval packing, and a 15-minute triage workflow.

rev engineering javascript

— ON THE BENCH

Bench-time research, not content marketing.

Every post here came out of real client work or self-directed research. We don't write to rank — we write so the next operator on the team doesn't have to re-learn the same trick.

Have a CVE or chain you'd like reviewed before disclosure? Want us to break apart a finding on your stack?

Talk to the team

WHAT GOES IN A POST

The bug, the chain, or the technique — explained the way we'd brief a teammate
Real payloads and real fixes, not pseudo-code for a slide deck
Reproduction steps that survive a copy-paste
What we'd do differently if we hit it again