About badbeat.dev

A cybersecurity blog focused on CTF writeups, AI security research, and e-commerce defense — with an emphasis on the failures that teach more than the wins.

What we cover

CTF writeups. Walkthroughs from HackTheBox, TryHackMe, and public CTF events. The focus is on the why behind each exploit, not just the steps. If you can reproduce a finding without understanding it, the writeup hasn't fully done its job.

AI security. Prompt injection, LLM jailbreaks, model extraction, adversarial inputs, supply chain attacks on ML pipelines, and the red-teaming techniques that hold up in production. This is where the threat landscape is moving fastest — and where most security teams are still catching up.

E-commerce security. Magecart, payment skimmers, checkout flow vulnerabilities, Shopify and WooCommerce misconfigurations, and the PCI-DSS gaps that keep showing up in breach reports. Most breaches in this space aren't zero-days — they're misconfigurations. Written by someone who's built and operated e-commerce systems, not just audited them.

Who this is for

Intermediate-to-advanced security practitioners. CTF players who want writeups that respect their time. Red teamers looking for fresh angles on AI systems. E-commerce operators who know "we use Cloudflare" isn't a security posture.

If you're learning the fundamentals, you may want to start elsewhere — we link to solid beginner resources when relevant.

Why anonymous

Attribution can be a liability in certain areas of security research. The work here stands on its own merits: reproducible findings, cited sources, and methodology you can verify independently. No personal branding, no conference circuit, no vendor-written content or paid influence.

The work speaks for itself.

How this blog makes money

Transparency matters. Some posts include affiliate links to platforms we actually use — HackTheBox, TryHackMe, and specific security tools. We only recommend what we'd recommend without the affiliate relationship.

No sponsored posts. No vendor-written content. No ghostwritten "thought leadership."

Subscribe

New writeups, research, and analysis land in your inbox — no spam, no filler, just the work.

Subscribe to the newsletter →

(Free. Unsubscribe anytime. We don't share your email with anyone.)

Get in touch

Found a factual error? Have a CTF writeup suggestion? Want to tip off a security story?

Contact: hello@badbeat.dev

PGP key: Download public key

Fingerprint: 5A2C 45E0 041A 10E2 95F0 3FD7 ED01 7773 3B1B B5F8

Encrypted tips welcome. If you're reporting a vulnerability or sharing sensitive research, please use PGP.

Legal

All security research on this site is conducted on authorized platforms (HackTheBox, TryHackMe, public CTFs) or on infrastructure we own. Nothing here constitutes guidance to attack systems you don't have permission to test. Do the legal thing.