Field notes from
the testing bench.
Long-form essays on prompt-injection methodology, OWASP LLM Top 10 coverage decisions, and how to turn ad-hoc red-teaming into evidence that survives a SOC 2 review. Edited by our research team. No newsletter pop-ups.
Indirect Prompt Injection: Why RAG Is Your Weakest Link
Indirect prompt injection arrives via retrieved content, not user input — and is where most production LLM failures live. How to test RAG for it.
OWASP LLM Top 10 Explained for AppSec Engineers
An AppSec engineer's read of the OWASP LLM Top 10 (2025): what each category means in production, how to test it, what to put in your threat model.
Prompt Injection Testing: The 2026 Practitioner's Guide
A practitioner's guide to prompt injection testing for AppSec engineers: what to test, how to score it, and what evidence holds up in a 2026 audit.
We publish a new issue when the research is ready, not on a schedule. Want a heads-up? Create an account and we'll email you when each issue lands. No marketing spam.