<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>collina.tech</title><link>https://collina.tech/</link><description>Recent content on collina.tech</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Fri, 03 Jul 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://collina.tech/index.xml" rel="self" type="application/rss+xml"/><item><title>AI Testing</title><link>https://collina.tech/ai-testing/</link><pubDate>Fri, 03 Jul 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/ai-testing/</guid><description>&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-gdscript3" data-lang="gdscript3"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="o"&gt;$&lt;/span&gt; &lt;span class="o"&gt;./&lt;/span&gt;&lt;span class="n"&gt;ai&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;testing&lt;/span&gt; &lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="n"&gt;scope&lt;/span&gt; &lt;span class="n"&gt;models&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;rag&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;agents&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="n"&gt;tools&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Machine-learning systems fail in ways classic software does not. The vulnerability isn&amp;rsquo;t a missing bounds check — it&amp;rsquo;s that a model reads &lt;em&gt;attacker-controlled text as instructions&lt;/em&gt;, that a retrieval pipeline &lt;strong&gt;cannot forget&lt;/strong&gt; a poisoned document, and that an agent with real credentials can be talked into using them against its owner. This track is where I keep field notes on breaking — and therefore securing — AI systems.&lt;/p&gt;
&lt;h2 id="why-ai-testing-is-its-own-discipline"&gt;Why AI testing is its own discipline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;The trust boundary moved into natural language.&lt;/strong&gt; There is no reliable syntax that separates &amp;ldquo;data&amp;rdquo; from &amp;ldquo;commands&amp;rdquo; in a prompt. Every channel that puts text into the context window — user input, a retrieved document, a tool&amp;rsquo;s output, another agent&amp;rsquo;s message — is an injection surface.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Findings are probabilistic.&lt;/strong&gt; The same payload can succeed 7 times out of 10. A pentest report has to speak in &lt;strong&gt;Attack Success Rate&lt;/strong&gt;, pinned to model, version, and temperature — not a single screenshot.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The blast radius is the tooling, not the chat box.&lt;/strong&gt; A model that &amp;ldquo;says something bad&amp;rdquo; is a safety issue. A model wired to email, a database, or a shell that can be &lt;em&gt;made to act&lt;/em&gt; is a security issue. That&amp;rsquo;s where the money is.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="the-mental-model-the-lethal-trifecta"&gt;The mental model: the lethal trifecta&lt;/h2&gt;
&lt;p&gt;The clearest framing of agentic risk, from &lt;a href="https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/"&gt;Simon Willison (June 2025)&lt;/a&gt;: an agent is exploitable for data theft when it holds &lt;strong&gt;all three&lt;/strong&gt; of these at once —&lt;/p&gt;</description></item><item><title>Pentesting LLM Applications: A Field Methodology</title><link>https://collina.tech/posts/pentesting-llm-applications-methodology/</link><pubDate>Fri, 03 Jul 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/pentesting-llm-applications-methodology/</guid><description>A repeatable, architecture-led workflow for testing LLM apps and agents — scoping a non-deterministic target, mapping the five attack surfaces, running OWASP LLM Top-10 test cases, and reporting stochastic findings.</description></item><item><title>Prompt Injection &amp; the Lethal Trifecta</title><link>https://collina.tech/posts/prompt-injection-and-the-lethal-trifecta/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/prompt-injection-and-the-lethal-trifecta/</guid><description>Why prompt injection has no clean fix, how indirect injection turns retrieved content into code, and how the 2025 zero-click incidents (EchoLeak, ShadowLeak, ForcedLeak) are all the same three ingredients.</description></item><item><title>whoami</title><link>https://collina.tech/about/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/about/</guid><description>&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-fallback" data-lang="fallback"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ whoami
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;collina
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ id
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;uid=1337(collina) groups=pentest,osint,ctf
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;I break web apps and APIs for a living, and chase loose threads through open sources for fun. This is where I keep field notes — the writeups, the tooling, the tradecraft that didn&amp;rsquo;t fit in a report.&lt;/p&gt;
&lt;h2 id="what-youll-find-here"&gt;What you&amp;rsquo;ll find here&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Pentest&lt;/strong&gt; — web/API exploitation walkthroughs, methodology, and the occasional CTF.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Investigation&lt;/strong&gt; — OSINT pivots, entity mapping, and how to turn a single artifact into a full picture.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tooling&lt;/strong&gt; — small scripts and setups that pull their weight.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Everything here is my own work and opinion. Findings from real engagements are sanitized — no client data, no live targets, no crossing the line.&lt;/p&gt;</description></item><item><title>The AI Testing Toolkit &amp; Frameworks</title><link>https://collina.tech/posts/ai-testing-toolkit-and-frameworks/</link><pubDate>Wed, 01 Jul 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/ai-testing-toolkit-and-frameworks/</guid><description>The frameworks that give an AI pentest its vocabulary, the scanners that give it coverage, and a safe practice-lab recipe for rehearsing every attack offline.</description></item><item><title>Hunting IDOR / BOLA in the Wild</title><link>https://collina.tech/posts/hunting-idor-in-the-wild/</link><pubDate>Sun, 28 Jun 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/hunting-idor-in-the-wild/</guid><description>A repeatable workflow for finding broken object-level authorization in modern APIs — from mapping object references to proving impact.</description></item><item><title>OSINT: Pivoting From a Single Artifact</title><link>https://collina.tech/posts/osint-pivoting-from-one-artifact/</link><pubDate>Sat, 20 Jun 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/osint-pivoting-from-one-artifact/</guid><description>How to turn one email, username, or image into a mapped network of entities — a disciplined pivot chain that avoids rabbit holes.</description></item><item><title>A Recon Workflow That Actually Scales</title><link>https://collina.tech/posts/a-recon-workflow-that-scales/</link><pubDate>Fri, 12 Jun 2026 00:00:00 +0000</pubDate><guid>https://collina.tech/posts/a-recon-workflow-that-scales/</guid><description>Turning a wildcard scope into a prioritized attack surface without melting your VPS — passive first, resolve, probe, then triage.</description></item></channel></rss>