Blog
Most security writing is either a press release or a panic. These field notes are neither. Each one takes a real, documented incident, walks through what actually happened in plain language, and then asks the question that matters for everyone else: what would this have looked like from the outside, before it went wrong?
That last question is the whole point of an external scan. Attackers do not start with inside knowledge of your systems — they start with the same public view anyone has. So do we. Every story below ends with the signal that was sitting in plain sight.
- Why your emails go to spam
The real reasons business email lands in the spam folder — almost always authentication and reputation, rarely the words you wrote — and the order in which to fix them.
- What is External Attack Surface Management (EASM)?
EASM is the discipline of seeing your organisation the way an attacker does — everything reachable from the public internet — and watching it continuously, because it grows when you are not looking.
- SPF, DKIM, and DMARC explained
The three DNS records that decide whether your email reaches the inbox or gets forged by an attacker — what each one really does, how they work together, and the mistakes that quietly defeat them.
- HTTP security headers, explained
Security headers are short instructions your server sends with every page that shut down whole classes of browser attack. Here is what each one does, how to check yours, and why they are your best defence against poisoned third-party code.
- How we classify severity
What High, Medium, Low, and Informational mean in a zmam.ai report — the questions behind each rating, and why findings like a missing HSTS header or a DMARC p=none policy land where they do.
- How to tell if your website is exposed or compromised
The difference between exposed and compromised, the signs of each you can read from the outside, and why the attacker almost always starts with the same public view you can.
- How to set up DMARC, step by step
A safe, staged DMARC rollout — start by listening, fix what the reports reveal, then enforce — so you stop spoofing without ever blocking your own legitimate mail.
- How to fix a DMARC p=none finding
A DMARC record stuck at p=none monitors but does not protect. Here is how to move it safely to enforcement — the modern, RFC 9989 way, without the retired pct tag.
- How to check your SSL/TLS certificate
How to inspect your TLS certificate in the browser or from the command line, what the fields mean, the problems that matter most — and why certificate lifetimes are about to get dramatically shorter.
- How to check your SPF record
Three ways to read your domain SPF record in seconds — online, with dig, or with nslookup — and how to spot the four mistakes that quietly break it.
- Free website security checks: what they cover and what they miss
A free external scan is a genuinely useful first look — and it is not a penetration test. Knowing exactly where that line falls is what lets you act on the results.
- DNS records that affect your security
DNS is the public map of your domain, and a handful of record types decide how hard you are to impersonate, hijack, or take over. Here is which ones matter and what good looks like.
- Cybersecurity for Saudi companies: where to start
For most Saudi small and mid-sized organisations the highest-impact security work is not exotic. It is getting the public-facing basics right and protecting identities — in roughly this order.
- The worm that taught the supply chain to replicate itself
In late 2025 a string of npm compromises culminated in Shai-Hulud, the first self-replicating package worm — and showed why the code your website loads from someone else is part of your attack surface.
- Eleven days, 11.5 million tries: the leak that walked past MFA
CitrixBleed 2 (CVE-2025-5777) let attackers read session tokens straight out of a NetScaler memory leak and bypass multi-factor authentication — and like every big 2025 edge breach, the victims were findable from the public internet.
- The CDC was serving malware, and the CDC was not hacked
How abandoned cloud DNS records let the Hazy Hawk group hijack subdomains of the CDC, universities and global firms — and how a $1.2M crypto heist used the same idea one rung higher, at the registry.
- The spam came from a domain nobody owned anymore
How the SubdoMailing operation turned forgotten SPF entries and abandoned subdomains of brands like MSN, McAfee and eBay into a machine that sent millions of fully authenticated spam emails a day.