What building a browser extension taught us about real web attacks

Really interesting pivot from extension to SaaS. The attack path simulation angle is smart — most tools just throw a list of CVEs at you without context.

To your question: I've been validating JSON payloads lately and the amount of sketchy data that passes through APIs is wild. Simple stuff like checking for script injection in JSON fields catches more issues than you'd think.

Curious — does Nautillo work with API traffic too, or mainly browser-based attacks?

The "chain small weaknesses" insight is the key differentiator here. Most security tools treat vulnerabilities as isolated findings — "you have XSS here, SQL injection there" — without showing how an attacker would actually combine them into a kill chain.

To your question about validating security risk without enterprise tools:

For small teams, I've seen a few approaches work:

1. Threat modeling first — Before scanning anything, map out "what would an attacker actually want from this system?" That filters signal from noise better than any tool.

2. Bug bounty programs at small scale — Even a modest bounty attracts researchers who think like attackers, not scanners. They naturally chain weaknesses because that's how you find interesting bugs.

3. Dependency-focused audits — Most indie apps get compromised through supply chain, not custom code. Monitoring your npm/pip/etc dependencies for known vulns is high ROI.

Curious about the extension → SaaS pivot: what's the distribution strategy for the SaaS side? Security tools are notoriously hard to sell — buyers want proof you can find real issues, but you can't demo on their production systems without trust first. Chicken-and-egg.