Behind the Firewall ft. Joseph Kirkpatrick

by Morgan Prost / May 21, 2026

Audits work best when there's transparency, not secrecy. During a recent engagement, Joseph encountered a situation that revealed much more than just a technical risk... a cultural one.  The client confirmed their penetration test was set for the weekend, but buried in the same email thread were plans to shut down vulnerable servers that Friday at 4:00p.m., then quietly bring them back on after the test.   The intent behind this wasn’t…

Read More

Behind the Firewall ft. Steven Collins

by Morgan Prost / May 21, 2026

What happens when important services, assumed to be covered, aren't? Many companies employ third parties to perform critical IT and security functions. These third parties often maintain high levels of access to an environment and are governed by contracts/MSAs. But what happens when the services assumed to be covered... aren’t?Lead Practitioner, Steven Collins worked with a healthcare organization that believed their third-party vendor was handling a significant amount of their IT…

Read More

Behind the Firewall ft. John Burkhart

by Morgan Prost / May 21, 2026

Audits aren’t just about ticking a checkbox; it's about building operational resilience.  During a recent SOC 2 gap assessment, Information Security Auditor, John Burkhart identified a major risk: the client lacked a formalized data backup and restoration process.  Backups to the cloud occurred sporadically, with no consistent schedule or oversight. Compounding the issue, restoration of these backups had never been tested, leaving significant uncertainty about their reliability in the event…

Read More

Behind the Firewall ft. Trevor Murphy

by Morgan Prost / May 21, 2026

Security headers are supposed to make things simpler, but what happens when they're misunderstood? Pentester, Trevor Murphy has spent the last five years focused on client-side security, and he’s seen the landscape shift dramatically. “When I first started in pen testing, web app security was a lot more fragmented. You had a separate header for each directive, one rule per line. Now, with Content Security Policies (CSPs), it’s all condensed into…

Read More

Behind the Firewall ft. Sean Rosado

by Morgan Prost / May 21, 2026

Not everything is a critical issue, but each deserves a closer look. During a recent engagement, Sean flagged a cross-site scripting vulnerability. Given the nature of the application and the use case for the affected functionality, the client believes the finding was a false positive. They agreed to schedule a session to dig deeper.Sean spent some time before the session building an additional proof of concept that further demonstrated the…

Read More