Application security, from someone who finds these bugs for a living.

I'm Carl Sampson — application security engineer and OWASP Indianapolis founder. For 15+ years I've found the vulnerabilities that ship to production anyway, and this newsletter is where I write them up at the level things actually break: real payloads, real fixes, and the mistakes I made getting there. No fluff, no AI slop — just deep dives on web security and Python from someone who does this for real.

New deep dive every few weeks · Python, web security, and the details most write-ups skip · Unsubscribe anytime.

What you’ll get

  • Vulnerability deep dives — how the attack actually works on the wire, not just “and then it’s game over.”
  • Python security, in practice — real code, real mistakes, and the fixes that hold up.
  • The details others skip — byte-level walkthroughs, the “obvious” fix that isn’t, and what I learned getting it wrong first.
  • No noise — no cross-posted headlines, no AI-generated filler. Just the stuff I’d want to read myself.