Blog — Nullra

latest Tooling & Automation

A paragraph copied from a LinkedIn post carried something the eye never sees: a run of Unicode tag characters encoding a prompt-injection instruction. Pasted into a frontier model, it halted the session. The visible text was clean; the clipboard was not. This is a known bug class -- invisible tag-character smuggling into LLM contex -- and what follows is a clean field observation of it on a major platform, the byte-level proof, and the mitigation. The part the bytes can't prove is marked as such and left open.

Vuln Management

Triage by blast radius: a working methodology for teams with more findings than engineers.

AppSec ProgramEngineering CultureProduct ManagementTriageVulnerability Management

2026-06-04 ~14 min · 2,777 words

AI Risk

What your developers are sending to their AI tools, and why your legal team would be upset.

AI SecurityData LeakageDeveloper ToolsIP ProtectionSecrets ManagementSupply Chain

2026-06-04 ~15 min · 2,934 words

Authorization

Tenant isolation failures in multi-tenant SaaS: a pattern catalogue

Tenant isolation failures are authorization failures. Not configuration failures, not framework failures, not database failures. This is a catalogue of how they happen, why they're hard to see coming, and what the underlying patterns actually look like.

2026-06-04 ~33 min · 6,558 words

Secure SDLC

Coverage ≠ progress. Why your scan numbers are lying to you.

Closing a thousand vulnerabilities in three months sounds like a win. It isn't. And the fact that it sounds like one is exactly the problem.

2026-06-04 ~7 min · 1,430 words

Org & Culture

The trust problem in AppSec isn't technical. It's political.

Most AppSec programs don't fail because the tools stopped working. They fail because the people stopped listening. Here's what that actually looks like, and what you do about it.

2026-06-04 ~7 min · 1,478 words

Tooling & Automation

Before you write a rule, read the code

Most SAST implementations fail not because the tool is wrong, but because the rules weren't written for the codebase they're running against. Generic rulesets generate noise. Noise gets ignored. Ignored findings don't get fixed. Here's how to build rules that match how your organization actually writes code.

2026-06-01 ~12 min · 2,371 words