Patterns.

The tools and credentials that authorize access to your systems are now the attack surface.

A component whose bug-class keeps recurring. Patches address symptoms; the design holds the primitive.

Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.

The privileged action of your security tool becomes the attack. Defender's hands become attacker's hands.

External content feeds an interpreter that treats it as instructions. Prompt injection is one instance.

Single maintainer account gates publishes to millions. One compromise ships to every downstream.

The window between credential compromise and detection. Every action in that window is legitimate.

No auth required to write a file into a path the server executes. Webroot upload, CGI drop, etc.

A PoC that ships a full weaponizer behind a 'for authorized testing only' disclaimer.

Git tags, date-labeled artifacts, the latest tag. Treated as pinned. Not.

The attack does not steal. It makes the defender permanently blind to a class of events.

The sandbox, scanner, or SOC tool is itself the attack surface.

The capability the researcher didn't ship tells you what the capability is. Read what's commented out.

'We weren't breached' via a narrow reading of their own terms. Non-denial denial.

Individually safe components that compose into an attack. Nobody owns the intersection.

Security gate can't decrypt/validate a message and forwards it anyway. Logs the failure, does the action.

A privileged process writes to a directory it never pre-created with restrictive permissions. A standard user occupies the path first as an NTFS junction. The privileged write follows the attacker's redirection.

Managed file transfer products carry the payload and the trust. Now carry the breaches.

CSRF tokens mistaken for authentication. Valid nonce does not equal authenticated caller.

A trust check that reads shared prototype state. Attacker writes once, every object reports trusted.

Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.

Worm pattern in a package registry: infected package harvests credentials, publishes to the next.

Hardware wallet / HSM / signer shows one thing, signs another. Trust boundary lives at the rendering layer.

A 'race condition' that's actually deterministic. Attacker controls timing because the other side hasn't run yet.

The bug class is too fundamental to the design. Patches close instances; the primitive remains.

A new ecosystem replaying every lesson the old ones learned. Same registry shape, same provenance gap.

The fix was in a comment. The code shipped without it. Audit your oldest TODOs.