Joern

Representative Foreword

After the Code, the Structure Remains

The representative foreword of this blog: security now fails less at finding issues than at absorbing, sustaining, and acting on what has already been found.

This essay frames the entire site first. The posts on technical analysis, method, and governance all start from this same problem statement.

Read the Foreword About This Blog

Detection, Method, Governance

🔥 A Mind That Dissects Systems

Security Controls Aren't Lacking — They're Inconvenient: Why Security Needs Customer Context

Security controls already exist. The real problem is that we cannot decide which customer, at which moment, deserves how much friction. As the closing chapter of the CAPTCHA·ATO series, this post is about moving from quantity of controls to context of controls — adaptive security as an operational discipline.

The AI Slop Paradox: Why Triage Gets Harder When Vulnerabilities Get Easier to Find

AI lowers the cost of finding vulnerability candidates, but it also increases low-quality reports, duplicates, and false positives. In the AI slop era, triage quality becomes the core security operation.

Beyond CVE Response: AI-Era Vulnerabilities Move Before They Get Numbers

AI-era vulnerability response cannot wait for a CVE number. Pre-CVE signals such as issues, commits, PoCs, write-ups, and patch traces now have to be mapped against internal exposure earlier.

Why Account Takeover Never Ends — Dismantling the ATO Supply Chain

How Korea's CaaS supply chain reproduces itself through the recycling loop of points, gift cards, and crypto — and why defending against it requires reading the entire behavioral network, not just the login page.

Structure Builders Will Outlast Vulnerability Finders

18 years of vulnerability hunting distilled into one insight: the shift from individual instinct to scalable structure — and what AI means for those left standing.

The CAPTCHA That Became a Free Automatic Door for Hackers — A Bypass PoC and Defense Strategy

A practical look at an audio CAPTCHA bypass PoC built with Playwright, Whisper, and Page-Agent, plus the login defenses that still matter after CAPTCHA falls.

WAF/IPS/IDS Detection Gap Analysis and Remediation Direction

Structural analysis of WAF, IPS, and IDS detection gaps from parsing discrepancies, with a practical remediation taxonomy.

The Gap Between CISO Strategy and Execution: The WAF Debate and Field Leadership Report

A comprehensive report presenting a roadmap for practical security improvement and field leadership, centered around the debate on WAF and the gap between philosophy and execution.

Endpoint Security Evasion (2020–2025): From EDR Bypass to EDR Kill

A technical analysis of how BYOI, BYOVD, DLL hijacking, and service abuse shifted endpoint attacks from EDR bypass to EDR kill between 2020 and 2025.

SPOF in Cybersecurity: From History to Strategy, a Graph-Based Analysis

Graph-based analysis of Single Points of Failure in cybersecurity, using weighted path enumeration to identify critical infrastructure nodes.

Detection Frameworks and Latest Methodologies for eBPF-Based Backdoors

How eBPF-based backdoors evade traditional detection, and modern frameworks like Tracee and LKRG that counter kernel-level threats.

In-Depth Report on Telecommunication Security: SKT Breach and Global Case Studies

In-depth analysis of the 2025 SKT breach, telecom authentication mechanisms, and 5G SA vs NSA security architecture differences.

🔥 Trust and Culture Beyond Technology

Supply Chain Security Does Not End with SBOM: Governing AI Development Tools and Automation Connections

AI IDEs, MCP, and automation connectors are not merely developer convenience tools. They are supply-chain assets that affect the trust path of how code is written, reviewed, and shipped.

Why Security Knowledge Transfer Fails — and What to Design Instead

An organizational design report that reframes the security–DevOps problem from failed knowledge transfer to default design, interfaces, exception handling, and alignment.

Contracts vs Security Governance — Contracts Enforce. Governance Decides.

Why security governance must drive decisions before contracts enforce them—a structural reframing for security leadership.

eIDAS 2.0 vs. Korea’s Digital Identity System: A Comparative Analysis

Comparative analysis of EU eIDAS 2.0 wallet-based identity and Korea's mobile ID system across governance, privacy, and operations.

The Visibility Principle: How Internal Vulnerability Visibility Shapes Remediation Behavior

How transparent internal vulnerability visibility drives remediation through accountability and deterrence without formal punishment.

Attack Surface Management in 2025: Why Continuous Visibility is Essential

Why continuous attack surface management is critical in 2025, covering AI-driven discovery, shadow IT, and zero trust integration.

Is Your Data in the Cat's Paws?

Analysis of the 2025 KakaoPay breach exposing 40M users' data, and why formal consent fails without AI-based DPIA and civic oversight.

There’s No Such Thing as a Free Lunch, But Security Was Free

The CVE system nearly collapsed in 2025. Who should fund public cybersecurity infrastructure when free-riding is no longer sustainable?

Common Security Myths Developers Tell Themselves

Debunking developer security myths around responsibility deflection, tech overconfidence, and risk underestimation with real-world examples.

Common Misconceptions of Security Assessors

Three common misconceptions that weaken security assessments and strategies to build repeatable, effective vulnerability evaluation.

🔥 Code That Fixes, Not Just Runs

An Audit Workflow Survives Only When It Absorbs Misses — Eight Reinforcements to sec-audit-static v2.0

I designed sec-audit-static workflow v2.0, ran it against a real auth-server codebase, and missed two things. This is the record of how those misses were folded back into the tool — through v2.8.

MCP Is Repeating the History of RPC Security

MCP security risks are not about prompt injection. They stem from the same configuration-to-execution escalation pattern that has plagued RPC, local security software, and CI/CD pipelines for decades.

Security Assessment Becomes a Development Process, Not an Outsourced Event

AI-era security assessment is not primarily about reducing outsourcing cost. It is about embedding repeatable verification into the development process while separating automation candidates from human judgment.

How I Turned 228 Endpoints into 5 Clusters

A practical account of applying dataflow-based clustering to a real codebase — reducing 228 endpoints to 5 reviewable clusters, and finding an RCE chain in the cross-section.

Security Diagnostics Reports Die Upon Publication

We point out the limitations of traditional security diagnostic reports and share the necessity and practical application cases of 'Security Testing as Code', managing diagnostic results not as 'documents' but as 'executable code (PoC)'.

How I Managed Unmaintained Open Source with Gmail and Snyk Alerts

Automating Snyk vulnerability alert management with Google Apps Script and Gmail when official API access falls short.

How to Block ECH and Mitigate DoH in Enterprise Networks

A hands-on guide using dnsmasq to filter SVCB and HTTPS records for disabling ECH and enforcing central DNS policies. Notes that DoH requires separate network-layer policies.

An Audit Workflow Survives Only When It Absorbs Misses — Eight Reinforcements to sec-audit-static v2.0

I designed sec-audit-static workflow v2.0, ran it against a real auth-server codebase, and missed two things. This is the record of how those misses were folded back into the tool — through v2.8.