Blog

Field notes from offensive security work, scraping research, and rate-limit investigations. Identifying details are changed for client confidentiality.

What a Scan Can and Cannot Tell You

A follow up to the exposed vector database study. I loaded the scan data into BigQuery and measured what you can classify from scan data alone versus what needs an active probe. One signal is cheap to add. One gap cannot be closed by scanning harder.

Measurement · 9 min read
The AI Writes Down Everything You Say, and Most of It Is Wide Open

The layer that logs what people actually say to their AI apps, the prompts and the responses, sitting on the open internet. I found 274 instances and 71 percent had no authentication at all. Enumerate only, nothing read.

Research · 10 min read
The AI Remembers Everything, and a Lot of It Is Wide Open

A reproducible Censys based measurement of exposed Qdrant and Weaviate vector databases. 73.5% of reachable Qdrant instances required no authentication, with medical, legal, and financial data sitting open. Enumerate only methodology, no stored data accessed.

Research · 14 min read
What I Built and Why

Why I built Phantom Feed, a browser based SQL workbench for practicing scraping and abuse investigations on realistic synthetic traffic. The gap it fills, what is in it, and who it is for.

Platform · 6 min read
A Practical Look at Scraping Behavior

How sophisticated scrapers shape their traffic to blend in, why single-signal detection fails, and which behavioral patterns still give them away when you stack signals correctly.

Scraping · Long read
Bots and Scrapers: Motivations, Tactics, and Defenses

A field guide to who runs scraping operations, what they're after, and what realistic defenses look like beyond the obvious blocklist.

Scraping · Defenses
A Tale of Tokens, Cookies, and Curious Behaviors

A mobile-API rate limit that reset itself once a generic cookie was added to the request. The mechanics of why this happens and what rate-limit-key design choices invite it.

Rate limits · Bypass
Rediscovering a Rate Limit Bypass: Cookie Header Strikes Again

A second encounter with a cookie-vs-token rate-limit bypass on a different platform, and what it tells us about how often this pattern recurs across the industry.

Rate limits · Bypass
Bypassing Rate Limits Using The Host Header

Two domains sharing one backend but tracking rate limits separately. A simple Host header swap multiplied the allowable request budget.

Rate limits · Bypass
Sandboxed Escaping

A sandbox test user that was supposed to be isolated turned out to have a quiet path into a sister platform's real user data. The token mechanics that made it possible.

Authorization · Sandbox