The Latest From Our Team



  • Pentesting
  • Tools & Techniques

Pentesting Apache Kafka 101 : Top 5 Security Misconfigurations

Discover the security misconfigurations that can affect an Apache Kafka cluster and the steps you can take to mitigate them. Improve your Apache Kafka security with these best practices.

Reading Time: 10 minutes
Syn Cubes Community - April 24, 2023
  • Pentesting
  • Tools & Techniques

AppSec: Using Radamsa to Fuzz for User Input Validation

Web applications are everywhere these days, from our banking to our social media accounts - and security is an ever-growing concern for both developers and users alike. Improper input validation is a major source of those security vulnerabilities, which can lead to potentially devastating results if left unchecked.

Reading Time: 6 minutes
Syn Cubes Community - February 28, 2023
  • Executive Level
  • Managing Risk

Top 5 Agile Pentesting Challenges in DevOps

As the Agile software development adoption continues to grow, businesses are increasingly looking to incorporate manual human-driven penetration testing, dynamic vulnerability code analysis, and SAST tools into their CI/CD pipelines. However, it is equally important for businesses to be aware of the challenges that this approach presents in their efforts to create and deploy secure software.

Reading Time: 6 minutes
Dragos Stanescu - December 15, 2022
  • Executive Level
  • Managing Risk

Agile Pentesting — Benefits

An Agile pen test is a new approach to pentesting that allows security professionals to adapt to changing needs and environments quickly. The takeaway from this is that organizations should benefit from staying ahead of the curve regarding security threats and effectively protecting their systems against a wide range of newly discovered attack vectors reported in the current threat landscape.

Reading Time: 4 minutes
Dragos Stanescu - November 18, 2022
  • Executive Level
  • Managing Risk

CISA CPG Checklist v1.0

We share the following as a visual simplified version and a Word document that address the security controls in the CISA Account Security v1.0 Official Guideline.

Reading Time: 4 minutes
Syn Cubes Community - November 6, 2022
  • General
  • Annoucement

We've Changed Our Name To SYN CUBES

When we initially started almost four years ago, our vision was to use our extensive knowledge and create the most incredible Pentest as a Service (PTaaS) solution out there. At the same time, we also wanted to approach things differently...

Reading Time: 3 minutes
Dragos Stanescu - September 20, 2022
  • Tutorials
  • Pentesting Jenkins

Automate DevOps - Jenkins CI/CD Pipelines Penetration Testing Tips

If you're looking to get into the world of Jenkins and CI/CD pipelines, this blog post is for you. I'll cover what Jenkins is, the benefits of using it, what are the most important CVEs affecting it, and a couple of resources worth looking into. Then you can use all this knowledge to your advantage and secure your pipeline.

  • API / Misconfiguration
  • Google Maps

A Pentester Story - How to Increase the Impact of a Underrated Issue

Too many organizations are risking their financial stability by not implementing proper security boundaries when using the Google Maps API Key. If you're in charge of an application that needs access to this service, be sure you have configured properly and placed appropriate security controls to prevent external abuse.

  • API / Misconfiguration
  • Google Maps

A Pentester Story - How to Increase the Impact of a Underrated Issue

Too many organizations are risking their financial stability by not implementing proper security boundaries when using the Google Maps API Key. If you're in charge of an application that needs access to this service, be sure you have configured properly and placed appropriate security controls to prevent external abuse.

  • Compliance
  • SOC 2 Type 2

Demystifying SOC 2 Type II Compliance Audit - What a Pentester Needs to Know

Drawing an early line in the sand, an audit and security are NOT the same things. Even if a company meets defined maturity of controls that does not necessarily mean it is secure. Compliance framework relies on a solid set of standards and regulations that work on a set of assumptions.

  • AppSec / Java
  • CVE-2021-44228

Java Log4j Vulnerability (CVE-2021-44228)- Keep Your Head Cool

Java Log4j vulnerability proved one of the most severe security flows in years. Six hours later, after the initial Proof-of-Concept was published, the situation escalated quickly. The exploit was already reported to be weaponized and used at scale.

  • GANs / NLP
  • Social Engineering

Generative Adversarial Networks (GANs)-#EnemyUnknown

GANs emerged as a cutting-edge technology around six years ago. Using them showed that there is an endless possibility of generating realistic fake photos. In this blog I am describing my experience dealing with an unexpected situation while using a social media platform.

  • Security Engineering
  • OSINT

PDF Documents Metadata and Practical Examples of How to Handle It

In this blog post we explore and detail a couple of straightforward technical solutions that any business can consider during the process of limiting information exposure through its public documents metadata fields.

  • Security Engineering
  • C-Level

Pentesting is Just the Beginning

Security Engineering skill set gap has created a substantial market for contract-based pentesting - a gig-style, one-and-done arrangement driven by global freelancing and bug bounty platforms.

  • Offensive Security Testing
  • C-Level

Standard Pentest vs. Adversarial Simulation

Supposing you are a C-Level executive, CISO role, or holding a similar position, within this article, we tried detailing a few hints about what a mature security vendor should provide to you as part of an engagement journey.

  • CRM
  • Information Disclosure

Probing Oracle Eloqua CRM for Sensitive Information Exposure

Jon Lu discloses his steps to trigger a Sensitive Information Exposure issue by starting to analyze a couple of analytic tracking ids and then investigate further a low impact security misconfiguration.

  • Browser
  • Extensions

Microsoft Edge and the new attack surface

We narrow down an introspective into Microsoft's stunning move of launching its new Edge browser to millions of Microsoft Windows 10 users via windows update. Microsoft's new Edge browser is based on the Chromium engine, which is the same as the leading competitor browser, Chrome.

Syn Cubes Team - June 15, 2020

Be the adversary - attack first