Blog
RSS93 HackerOne Reports Show the Same AWS Blast Radius Problem
We analyzed 1,169 AWS-related HackerOne reports. The dominant pattern: SSRF or leaked credentials become full infrastructure access because nobody measured the blast radius of the compromised identity.
AWS Finally Gave S3 Buckets Their Own Rooms
For years, predictable S3 bucket names let attackers squat resources and hijack AWS services. Account-regional namespaces, launched March 2026, eliminate the entire attack class. Here's what changed and what you need to do.
What the LexisNexis Breach Teaches Us About Blast Radius in AWS
A single ECS task role with read access to every secret in the account. The LexisNexis breach is a textbook case of why blast radius validation matters.
The Capital One Breach, Seven Years Later: The Blast Radius Problem That Won't Go Away
In 2019, a single SSRF vulnerability turned into 106 million stolen records. AWS shipped IMDSv2. Seven years later, half of EC2 instances still don't enforce it, and attackers have industrialized the technique.