Security Engineering

A security professional audits his own code: blog posts leaking private repo names, query-string secrets in browser history, SSRF vectors, and error messages handing attackers the database schema. 19 findings and the journey to fix every one.

I've managed firewalls for years. When it came time to add WAF protection to my own site, I evaluated Cloudflare's free tier against Vercel's built-in WAF. Here's the comparison, the implementation, the config that broke the build, and the curl tests that proved it all works.

I tasked four AI agents with auditing my production site for OWASP vulnerabilities. They found 16 findings, fixed 6, and wrote 37 tests in under 30 minutes. Traditional pentesting may never be the same, but red teamers shouldn't worry.

A pairing/admin-approval privilege escalation CVE hit OpenClaw. My security agent ran a threat hunt, my builder agent implemented a Security Panel on the Mission Control dashboard, and 15 files later the system can see itself. Here is the full story.

How a routine search for blog content tools led to discovering critical security risks in a popular MCP server, and why I built my own secure alternative.