Field notes from the frontier.

Articles on offensive and defensive application security, AI-powered pentesting, LLM guardrails, and the methodologies behind the NullPointer ecosystem.

$ ./blog --init hello, world_ [ok] publishing article 001...
2026-07-10

Hello, world: the NullPointer blog

Why we're starting a blog, what you can expect to read here, and a quick tour of the open-source ecosystem it will cover—from Agent-Smith to Seraph and the skills library in between.

Read article →
/pentester /web-exploit /remediate
2026-07-03

Skills, not scripts: how Agent-Smith chains an attack

Most “AI pentesters” are chatbots wrapped around a script library. We took the opposite bet—teach the methodology, let the model invent the attack, and let skills chain themselves.

Read article →
2026-06-26

A firewall you can't jailbreak: designing Seraph

Every blocklist eventually fails. Here's why we built Seraph on a positive-security allow-list instead—and what it means to be immune to prompt injection by design.

Read article →