Juan Pablo Gomez Postigo

Microsoft has fully patched the ACS metadata endpoint that powered tenant domain enumeration. Learn what the original technique was, why it's gone, and how azmap.dev now combines DKIM lookups, MX brute-force, and Graph API to still surface tenant names and related domains.

Understanding how SiteGround’s proof-of-work CAPTCHA silently disrupts automated WordPress security scans and how to work around it.

Microsoft's soft patch didn't kill tenant enumeration. Attackers have new ways to map cloud infrastructure. Learn how modern Azure and Microsoft 365 enumeration techniques work, why they're back, and what defenders should do next.

Sprocket Security Senior Penetration Tester examines how transliteration and language backgrounds shape password creation, adding complexity for both users and attackers in his 2025 CypherCon talk.

During the past few assessments, Sprocket has encountered improperly configured instances of Lucee 5 and 4. This blog post will detail a straightforward method to execute remote code after acquiring administrative access to a Lucee login panel.

By targeting a specific endpoint and passing in a random string, GravityForms will prompt users to authenticate first. This results in the unauthenticated user being redirected to the obscured administrative login page for /wp-admin.