Tools Free website security scanner — check in seconds
We launched a free, stateless website security scanner. It checks HTTPS, headers, cookies, SPF/DMARC and more — with no data stored. See what it can do.
Technical write-ups on vulnerabilities, breaches and attack campaigns — written by practitioners, for IT teams.
Tools We launched a free, stateless website security scanner. It checks HTTPS, headers, cookies, SPF/DMARC and more — with no data stored. See what it can do.
Tools You scanned your site and see a grade and a list of issues — now what? We explain every finding type and show how to fix it, concretely.
Pentest Before an attack lands, a criminal does reconnaissance. We show what OSINT reveals about your company and how to shrink your digital footprint.
Pentest A well-prepared penetration test delivers more value for the same money. How the process works, what to agree up front and how to read the report.
AI in business AI agents carry out tasks, not just answer questions. Where agentic automation pays off, how to roll it out in stages and how to keep control.
Vulnerabilities 2026 confirms a worrying trend: vulnerabilities are exploited faster than vendors ship patches. What it means for defence and how to keep up.
Compliance The amended KSC act implements NIS2 and applies from 3 April 2026. We explain who it covers, the deadlines and what you need to do.
Authentication Passkeys remove passwords and are phishing-resistant. We explain how they work, how they differ from MFA and how to start rolling them out.
AI in business A chatbot can take real load off customer service — or embarrass the brand with one answer. A guide to a secure rollout, from architecture to testing.
Deepfake Fake ads featuring well-known people are flooding social media. We explain how deepfake investment fraud works and how to recognise it.
Monitoring You don't need a million-dollar SOC to detect attacks. How a mid-sized company builds monitoring: what to log, what to alert on, when to get help.
Phishing A QR code slips past email filters and leads to a fake page straight from your phone. We explain how quishing works and how to defend against it.
Fraud A SIM swap lets criminals take over your phone number — and with it your texts, codes and accounts. How it works, how to spot it and how to protect yourself.
Vulnerabilities Dozens of new vulnerabilities are published every day. We show how to tell the ones that actually affect you from the noise.
Phishing Criminals impersonate KSeF, e-government and gov.pl domains to target company finance teams. What this phishing looks like and how to secure it.
Cloud Microsoft 365 is the heart of most companies — and the top target of account attacks. Ten configurations that close common takeover paths.
Smishing A campaign impersonating mObywatel uses sender spoofing and a fake 200 PLN fine. We explain why it looks so convincing and how not to fall for it.
Scams BEC is one of the most expensive scams for companies. We explain how invoice fraud and the 'urgent CEO transfer' work — and how to stop them.
Authentication MFA is the cheapest risk reduction we know — but only when deployed well. The differences between methods, a staged rollout plan and common traps.
Malware Infostealers are the most common malware stealing passwords, cookies and wallets. How they infect, why they bypass MFA and how to protect yourself.
Supply chain A single dependency can compromise thousands of companies at once. We explain how supply chain attacks work and how to limit dependency risk.
Ransomware Ransomware attacks rarely start with encryption. We break the attack chain into its parts and show where it's cheapest to break it.
Business continuity A backup nobody has tested is just an assumption. The 3-2-1 rule, immutable copies that survive ransomware and restores that actually work.
Banking An intensive campaign impersonates BLIK using SMS spoofing and fake login panels. We show how criminals take over online banking and how to break the chain.
Web security WordPress powers most of the web and is the top target for attacks. Ten practical steps to secure your site — no coding knowledge required.
DevSecOps Kubernetes gives huge flexibility and an equally large attack surface. We cover the most common mistakes — RBAC, secrets, networking — and hardening priorities.
Vishing A call from the bank's number, a calm 'consultant' and a supposed break-in on your account. We break down the fake-bank-employee scam and how to stop it.
Compliance DORA has applied since January 2025 and covers far more than banks. The five pillars, mandatory resilience testing and ICT supplier duties.
API APIs are now the most common target for application attacks. We cover the key OWASP API Top 10 flaws — led by BOLA — and how to avoid them.
Phishing Phishing still accounts for most successful breaches. We explain why employee education alone isn't enough and what to add to your defences.
Guide Fake shops, spoofed payments and intercepted cards. A practical guide to spotting a fraudulent store and paying safely online.
Supply chain Your security ends at your weakest supplier. How to assess contractor risk, what to put in contracts and how to monitor suppliers efficiently.
Data breaches Your passwords and data are almost certainly in some breach. How to check it safely, what a leak really means and what steps to take.
Risk management Employees use several times more applications than IT has approved. Where shadow IT comes from, what it risks and how to control it without bans.
Smishing Fake SMS about a delivery surcharge is one of Poland's most common phishing scenarios. We break it down and explain why the tiny fee is deliberate.
AppSec A guide to the OWASP Top 10 for teams that want to understand real risks — from broken access control, through injection, to SSRF.
Vulnerabilities The scanner is the easy part. How to build the full process: inventory, risk-based prioritisation, remediation SLAs and metrics that matter.
Cloud Most cloud breaches don't come from the provider's flaws, but from the customer's misconfiguration. Here are the five most common traps.
Guide Your phone knows more about you than your computer. Twelve practical settings and habits that genuinely protect your data, accounts and privacy.
Remote work Remote work is here to stay — and with it company data on home networks and private hardware. A practical standard: devices, access, Wi-Fi.
Scams Impersonations of OLX and Vinted are among the most reported scams in Poland. We explain the 'safe payment' mechanism that actually robs the seller.
Hardening Active Directory is the top target once inside a network. We cover common attack paths — Kerberoasting, excessive privileges — and how to close them.
Privacy Ads promise a VPN gives anonymity and total security. We explain what a VPN really does, what it doesn't protect against and when it's worth using.
Data breaches What to do when a data breach happens — from confirming the incident, through limiting the impact, to GDPR obligations.
Authentication Shared passwords in a spreadsheet are a ticking bomb. How a business password manager works, how to choose one and roll it out to teams.
Fraud Seniors are fraudsters' most common target: fake grandchild, police or bank staff. Learn the schemes and how to protect parents and grandparents.
Architecture The 'hard shell, soft centre' model no longer works. We explain what Zero Trust is, where to start a rollout and what to avoid.
Scams A hacked friend's account asks for a BLIK code or a scan of your ID. We explain how account takeovers happen and why the chain of trust is the weakest link.
GDPR 'Appropriate technical measures' — but which exactly? GDPR Article 32 as an IT checklist: encryption, access, logs, backups and testing.
Identity Stolen personal data lets criminals take out loans or register a company in your name. How identity theft happens and how to protect yourself.
AI security Deploying language models opens up a class of threats that classic applications never knew. We cover prompt injection, data leakage and over-privileged agents.
Vulnerabilities CVE-2026-35616 (CVSS 9.8) in Fortinet FortiClient EMS is actively exploited and in the CISA KEV. We explain the threat and how to respond.
Vulnerabilities A critical RCE in the Windows TCP/IP stack, remote and with no user interaction — potentially self-spreading. We explain the risk and the patching priority.
SMB A small company doesn't need a security department to stop being an easy target. A 90-day plan: what to do in-house, what to buy, what to outsource.
Vulnerabilities SharePoint is targeted again: CVE-2026-32201 scores 'only' 6.5 in CVSS but is actively exploited and in the KEV — proof the score isn't everything.
Authentication Change your password every 30 days? Invent complex character strings? We explain which password rules are outdated myths and what really protects your accounts.
Hardening A practical guide to hardening Linux servers — no copying hundred-item checklists, with an emphasis on the highest-impact actions.
Ransomware In spring 2026 several Polish hospitals were hit by ransomware in quick succession. Why healthcare is a target and how to limit the impact.
Guide How to protect your child online without surveillance and bans? A practical guide to the risks, parental control settings and the conversation that works.
Email security Without SPF, DKIM and DMARC anyone can send emails impersonating your domain. We explain these three mechanisms simply and show how to deploy them.
Critical infrastructure A destructive attack on Poland's energy sector and pro-Russian DDoS show critical infrastructure is a target — what it means for companies.
Vulnerabilities Ivanti EPMM was hit by a zero-day exploited before disclosure (CVE-2026-1281 and 1340). We explain who's affected and what to do right now.
Critical infrastructure 2025 was a record year for Poland: attacks on hospitals, DDoS on infrastructure and disinformation. We summarise the threats and lessons for businesses.
Supply chain In autumn 2025 the Shai-Hulud worm infected hundreds of npm packages, spreading itself. We analyse the supply chain attack and how to secure your pipeline.
Supply chain In 2025, stolen OAuth tokens from Salesloft exposed hundreds of firms' Salesforce data — with no cracked passwords. A lesson on integration risk.
Vulnerabilities In summer 2025, CVE-2025-53770 in SharePoint Server let attackers take over servers with no login. We analyse the ToolShell chain and its lessons.
Vulnerabilities CVE-2025-5777 let attackers pull session tokens from Citrix NetScaler gateways, bypassing MFA. We analyse CitrixBleed 2 and the defence.
Ransomware In 2025 Scattered Spider paralysed UK retail. The weapon wasn't a 0-day but a helpdesk call. We break down the technique and the defence.
Vulnerabilities CVE-2025-31324 in SAP NetWeaver let attackers upload a web shell with no login and take over the ERP. We analyse attacks on a company's heart.
Vulnerabilities CVE-2025-29824 is another 0-day in the Windows CLFS driver, used by ransomware to seize SYSTEM. Why this class of flaw returns and how to limit the risk.
Data breaches In February 2025, $1.5bn in crypto vanished from Bybit. We break down the Lazarus attack and what failed despite a cold wallet.
Once a month we send a concise summary of the most important vulnerabilities, breaches and threats. No spam — you can unsubscribe at any time.