All Blogs

Explore our collection of in-depth articles on AI-powered security, penetration testing, and real-world vulnerability discoveries.

Compliance

Geolocation

iGaming

FEATURED

Bug of the Week: Betting on Compliance Controls That Stopped at the Front End

A licensed sportsbook accepted bets carrying a DENIED geolocation verdict. The SDK worked. The token was signed. The backend just never enforced the decision.

David Mound

9 min read

Prompt Injection

Compliance Bypass

Bug of the Week: How a 30-Word PDF Approved Unsafe Products for Shipment

A crafted PDF containing 30 words of plain text bypassed the entire product compliance validation pipeline at a global retail organisation. The LLM read the document, accepted the injected instructions as fact, and approved non-compliant products for shipment.

David Mound

10 min read

MFA

Authentication

A Pentest That Skips MFA Is Fiction

How Shinobi's AI agents handle email and SMS authentication without weakening your security posture.

Priyank Gupta

6 min read

Fix Verification

Exploit Replay

One-Click Fix Verification

How long a developer waits to find out whether their patch actually worked directly determines how long their software stays vulnerable. Shinobi shrinks that window to a single click.

Varun Uppal

7 min read

Zendesk

Misconfiguration

Zendesk Chat Attachments: An Insecure Default Worth Checking

While working with a client, we discovered that Zendesk's chat widget allows unauthenticated access to file attachments by default. Here's what we found and how to fix it.

David Mound

12 min read

Vulnerability Chaining

Post-Exploitation

Introducing Aggressor Mode

Finding vulnerabilities doesn't make systems secure — showing their impact does. Aggressor Mode transforms Shinobi into an unrelenting adversary that chains vulnerabilities and demonstrates maximum realistic impact.

Varun Uppal

10 min read

Business Logic

Vulnerability Chaining

Chaining Five Business Logic Flaws to Steal $999,999

How an AI Pentester Found What Scanners Can't ... and most humans would miss

David Mound

14 min read

DAST

Application Security

Rethinking Application Security Testing: From DAST Scanners to AI-Powered Pentesting

DAST scanners were built to scale vulnerability detection, not adversarial reasoning. This post explores how AI-powered pentesting changes application security testing by focusing on real-world attack paths and risk.

Varun Uppal

4 min read

LLM Security

Prompt Injection

Leaking OpenAI's Hidden GPT-5 System Prompt via Context Poisoning

A post-mortem on a critical vulnerability where a "smarter" reasoning model was tricked by a fundamental architectural flaw. What is "Juice: 64"?

Abhishek Gehlot

12 min read

Mobile Security

Automation

Meet the world's first AI-powered mobile app pentester

Shinobi can now pentest mobile apps with same skills and precision of traditional pentesting... but does it faster and continuously

Varun Uppal

6 min read

IDOR

Privilege Escalation

One Parameter to Rule Them All: How a User Flaw Unlocked an Admin Fortress

How Shinobi exploited a single vulnerable parameter in an EV charging platform to cross security boundaries and gain full administrative access.

Abhishek Gehlot

9 min read

Authorization

IDOR

The Ghost in the API: How Shinobi Turned a Single Flaw into Super Admin Access

A journey through an IoT platform where learning from rejection led to uncovering a complete authorization breakdown and a hidden Super Admin account.

Abhishek Gehlot

10 min read

IDOR

Data Privacy

More Than an Invoice: How Shinobi Averted a Child Safety Crisis

How an AI pentester turned a routine test on a holiday camp booking app into the prevention of a serious child safety and data privacy incident by uncovering a critical IDOR vulnerability.

Abhishek Gehlot

8 min read

SAST

DAST

AI Pentesting VS AI Code Scanning

A bakeoff between a next-gen pentester and code scanner reveals why testing live applications still uncovers vulnerabilities that code scanning alone can't catch.

Varun Uppal

6 min read

Logic Flaws

Business Logic

Using AI to find logic flaws

How an AI Agent discovered a business logic flaw in a Popular Web Application by thinking creatively and connecting the dots like a human pentester.

Abhishek Gehlot

10 min read

All Blogs

Bug of the Week: Betting on Compliance Controls That Stopped at the Front End

Bug of the Week: How a 30-Word PDF Approved Unsafe Products for Shipment

A Pentest That Skips MFA Is Fiction

More Articles

One-Click Fix Verification

Zendesk Chat Attachments: An Insecure Default Worth Checking

Introducing Aggressor Mode

Chaining Five Business Logic Flaws to Steal $999,999

Rethinking Application Security Testing: From DAST Scanners to AI-Powered Pentesting

Leaking OpenAI's Hidden GPT-5 System Prompt via Context Poisoning

Meet the world's first AI-powered mobile app pentester

One Parameter to Rule Them All: How a User Flaw Unlocked an Admin Fortress

The Ghost in the API: How Shinobi Turned a Single Flaw into Super Admin Access

More Than an Invoice: How Shinobi Averted a Child Safety Crisis

AI Pentesting VS AI Code Scanning

Using AI to find logic flaws