taxonomy · how systems fail
Patterns.
Named bug-classes and conceptual frames. Each pattern is its own meta-analysis. The mechanism that gets named, plus every post that exhibits it.
- Trust Inversion017 postsTrust Inversion
The tools and credentials that authorize access to your systems are now the attack surface.
- Design Debt Driver024 postsDesign Debt Driver
A component whose bug-class keeps recurring. Patches address symptoms; the design holds the primitive.
- Disclosure After Exploitation034 postsDisclosure After Exploitation
Vendor discloses only after active in-wild exploitation. The gap between first-seen and CVE is the story.
- Security Tool As Primitive044 postsSecurity Tool As Primitive
The privileged action of your security tool becomes the attack. Defender's hands become attacker's hands.
- Content Is Command053 postsContent Is Command
External content feeds an interpreter that treats it as instructions. Prompt injection is one instance.
- Maintainer Account Compromise063 postsMaintainer Account Compromise
Single maintainer account gates publishes to millions. One compromise ships to every downstream.
- Revocation Gap073 postsRevocation Gap
The window between credential compromise and detection. Every action in that window is legitimate.
- Unauth Write To Execution Path083 postsUnauth Write To Execution Path
No auth required to write a file into a path the server executes. Webroot upload, CGI drop, etc.
- Disclaimer Wrapped Campaign Kit092 postsDisclaimer Wrapped Campaign Kit
A PoC that ships a full weaponizer behind a 'for authorized testing only' disclaimer.
- Mutable Reference As Immutable102 postsMutable Reference As Immutable
Git tags, date-labeled artifacts, the latest tag. Treated as pinned. Not.
- Persistent Blindspot112 postsPersistent Blindspot
The attack does not steal. It makes the defender permanently blind to a class of events.
- The Detector Is The Target122 postsThe Detector Is The Target
The sandbox, scanner, or SOC tool is itself the attack surface.
- Commented Out Code Is Testimony131 postCommented Out Code Is Testimony
The capability the researcher didn't ship tells you what the capability is. Read what's commented out.
- Denial By Pedantry141 postDenial By Pedantry
'We weren't breached' via a narrow reading of their own terms. Non-denial denial.
- Emergent Primitive151 postEmergent Primitive
Individually safe components that compose into an attack. Nobody owns the intersection.
- Fail Open Intercept161 postFail Open Intercept
Security gate can't decrypt/validate a message and forwards it anyway. Logs the failure, does the action.
- Junction Preemption171 postJunction Preemption
A privileged process writes to a directory it never pre-created with restrictive permissions. A standard user occupies the path first as an NTFS junction. The privileged write follows the attacker's redirection.
- MFT as Primary Target181 postMFT as Primary Target
Managed file transfer products carry the payload and the trust. Now carry the breaches.
- Nonce Is Not Auth191 postNonce Is Not Auth
CSRF tokens mistaken for authentication. Valid nonce does not equal authenticated caller.
- Prototype Pollution Trust Bypass201 postPrototype Pollution Trust Bypass
A trust check that reads shared prototype state. Attacker writes once, every object reports trusted.
- Security Metric Theater211 postSecurity Metric Theater
Coverage reported as a fraction when only the numerator was ever the story. MFA %, EDR coverage, etc.
- Self Propagating Supply Chain221 postSelf Propagating Supply Chain
Worm pattern in a package registry: infected package harvests credentials, publishes to the next.
- Signing Surface Poisoning231 postSigning Surface Poisoning
Hardware wallet / HSM / signer shows one thing, signs another. Trust boundary lives at the rendering layer.
- TOCTOU That Isn't241 postTOCTOU That Isn't
A 'race condition' that's actually deterministic. Attacker controls timing because the other side hasn't run yet.
- Unpatchable Primitive251 postUnpatchable Primitive
The bug class is too fundamental to the design. Patches close instances; the primitive remains.
- Unsigned Ecosystem Echo261 postUnsigned Ecosystem Echo
A new ecosystem replaying every lesson the old ones learned. Same registry shape, same provenance gap.
- Todo That Shipped270 postsTodo That Shipped
The fix was in a comment. The code shipped without it. Audit your oldest TODOs.