Why AppSec?

Web pentesting isn’t just about finding bugs and writing reports — it’s a process of deeply understanding how systems work, how developers think, and discovering the cracks that builders can’t see.

But after spending time doing pentests, I realized: finding bugs is only half the story. The other half is making sure those bugs never come back — and that’s why Application Security exists.

The 5-Phase Roadmap

I’m following a structured roadmap, from mastering hands-on pentesting to building a comprehensive security program:

  1. Sharpen Web/API Pentest Skills — OWASP Top 10, Burp Suite, PortSwigger Labs
  2. Whitebox & Code Review — Semgrep, CodeQL, real-world source auditing
  3. DevSecOps & SDLC — Integrating security into the software development lifecycle
  4. AppSec Program Management — OWASP SAMM, KPIs, policy & governance
  5. Advanced: OSWE / eWPTX — Logic bugs, RCE chains, cert prep

What This Blog Is For

  • Lab Writeups — documenting how I solve each lab, including failures
  • Tool Deep Dive — hands-on exploration of each tool, not just theory
  • Code Review Notes — sharing interesting bugs found in real code
  • DevSecOps — notes on building secure CI/CD pipelines
  • Defender’s Perspective — from vulnerabilities found, thinking about proper fixes

My Commitment

Every post will have real results: real code, real screenshots, real lessons. No empty theory.

The journey starts today.

Follow this blog so you don’t miss the next posts!