Blog
Notes from those who keep watch.
Technical writing on external observation, security posture, LGPD and everything that shows up when you look at a domain calmly.
May 22, 2026 · 7 min
How we compute risk in $/year (ALE) — formula, table and worked example
The A–F grade answers "how is my posture?". ALE answers "how much does this cost per year?". We show the formula, the calibrated table and a worked numeric example — with the inputs you need to fill in to switch it on.
by Carol · read →
May 19, 2026 · 5 min
ASM (Attack Surface Management): why you should look at your site like an attacker
ASM is the discipline that maps everything your company exposes to the internet — known or forgotten — and measures the risk before an attacker does. What it is, what it isn't, and where to start.
by Carol · read →
May 12, 2026 · 4 min
Annual pentest vs continuous auditing: which one protects you more?
A pentest is a snapshot. Continuous auditing is a video feed. Here's when each makes sense, what they cost, and why most companies need both — in different proportions.
by Carol · read →
May 5, 2026 · 4 min
Secure WordPress in 2026: a checklist of what an attacker sees
Most "secure WordPress" guides end up recommending the same firewall plugin. This one looks at what an attacker actually sees — before they do.
by Carol · read →
April 28, 2026 · 4 min
Subdomain takeover: the forgotten subdomain that becomes a front door
The promo.yourcompany.com you turned off in 2022 still points to Heroku. Today, anyone can grab it back — and run phishing under your domain.
by Carol · read →
April 21, 2026 · 4 min
How much does one hour of downtime really cost (with a calculator)
Downtime isn't just "some lost sales". The real bill includes wasted CAC, SEO penalty, reputation, and support load. Here's how to compute it in dollars.
by Carol · read →
April 14, 2026 · 4 min
Expired SSL certificate: what happens and how to avoid it
An expired SSL certificate takes your site down without warning. Why it happens, what the user sees, and why you only find out when someone calls to complain.
by Carol · read →
April 7, 2026 · 3 min
Why LGPD is not just a privacy page
Most sites treat LGPD as a footer link. Complying with the law involves a consent banner, a legal basis per purpose, the DPO contact and tracking that respects opt-in.
by Carol · read →
March 31, 2026 · 5 min
How to tell if your site was hacked (and what to do before Google punishes you)
Most hacked sites only find out when Google flags them as unsafe and traffic collapses. The signs show up earlier — if you know where to look.
by Carol · read →
March 24, 2026 · 5 min
SPF, DKIM and DMARC: why your emails land in spam
Three acronyms that decide whether your email reaches the inbox or spam. What each one does, how to configure it, and why most companies still get it wrong.
by Carol · read →
March 17, 2026 · 5 min
Is free site monitoring worth it? An honest comparison
UptimeRobot, Better Stack, StatusCake, Pingdom — where the free tier is enough and where it costs you more than it saves.
by Carol · read →
March 10, 2026 · 4 min
5 HTTP security headers your site probably doesn't have
Security headers are the cheapest and most underused defense on the web. Five you can turn on today without touching application code.
by Carol · read →
March 3, 2026 · 4 min
High uptime is not the same as availability
Your monitoring can report 99.99% and your customer can be furious. The difference is in what you monitor, how often, and what you consider "up".
by Carol · read →