Active testing only with written authorisation
~/tholim_
Journal · Defender-focused field notes

Anonymised case studies, vulnerability classes, tooling decisions.

Notes from engagements, written for engineers and security owners who would rather see what we found than what we sell. Published under our editorial policy — anonymised, post-remediation, no working exploit code, no zero-day pre-disclosure.

§00 · Reproducer discipline

Every published finding ships with the request that proves it.

Anyone can write "the API leaks PII." We hand the engineer the exact curl that triggers the leak, the raw response that proves it, and the smallest possible context for re-running it after the fix. No screenshots-only claims, no trust the consultant.

tree evidence/ finding · F-014 · DMARC missing 
F-014_dmarc_missing/
├── 00_summary.md           // what, why, who, severity, CVSS
├── 01_repro.sh             // one-liner that triggers it
├── 02_dig_dmarc.txt        // raw `dig +short TXT _dmarc.x.io`
├── 03_spoof_test.eml       // crafted msg + full delivery headers
├── 04_inbox_capture.png    // recipient view (sender redacted)
├── 05_impact.md            // blast radius, attacker abuse path
├── 06_remediation.md       // exact records to add + propagation
├── 07_retest.sh            // rerun after the fix lands
└── 08_signoff.md           // who verified, when, ticket link
Rule · 01
A finding without a reproducer is a feeling.

If the engineer can't run 01_repro.sh in under thirty seconds, we go back and refine until they can.

Rule · 02
Raw before render.

02_dig_dmarc.txt is the unedited tool output. Screenshots are decoration, not evidence — they live next to the raw, not in place of it.

Rule · 03
Re-test ships with the fix.

07_retest.sh is committed before the finding closes. Every closure is verified by the same script that opened it.

Format aligned with NIST SP 800-115 §6, PTES Reporting, OWASP WSTG 4.2.
§01 · Published notes
  1. 2026-05-04
    Tooling note
    7 min

    Why we wrote our own JA4S in pure Python (and what the existing implementations got wrong)

    JA4S is the server half of the JA4 fingerprint family — a single short string that identifies a TLS server's stack from the bytes it sends back during a handshake. Most public Python implementations get those bytes wrong in ways that silently produce non-matching fingerprints. Here is what the FoxIO 2024 spec actually requires, where the popular ports drift from it, and the fifty-line pure-Python implementation we ship inside our surface audit.

    JA4 spec (FoxIO 2024) RFC 8446
  2. 2026-05-02
    Case study
    5 min

    Why a missing DMARC record means your customer pays the attacker

    An anonymised case from a $3.5k/day crypto-payment platform. How outbound impersonation works, why SPF on its own does not stop it, and the single DNS line that closes the class.

    RFC 7489 RFC 7208

New posts appear here irregularly — typically one to two per week when engagements permit. RSS feed at /journal/rss.xml.