Blog

Deep dives.

Investigations under the hood of the tools we use every day. How things actually work — not how the docs say they work.

AllTutorialsDeep divesOpinionsComparisonsCareerField notesCase studiesQA trends
Deep dives·13 June 2026 · 8 min read

p95 latency explained for QA engineers

What p95 actually means, why averages hide the bugs, and how to read a latency distribution as a tester.

performance-testinglatencymetrics
Deep dives·13 June 2026 · 8 min read

IDOR explained for QA engineers

The most common serious web vulnerability is also the easiest for QA to catch: the app serves a record by ID without checking it is yours. Two accounts and a changed number find it.

security-testingauthidorbugs
Deep dives·13 June 2026 · 8 min read

API status codes testers should actually care about

Skip the full registry — learn the dozen status codes that carry real meaning, what each promises, and how to spot when the code and the body disagree.

api-testingstatus-codeshttp
Deep dives·13 June 2026 · 8 min read

Load testing is not the same as performance testing

Load testing is one type of performance test, not the whole thing. A single user can have a performance bug. Match the test (load/stress/spike/soak) to the risk.

performance-testingload-testingconcepts
Deep dives·13 June 2026 · 9 min read

Prompt injection testing for QA engineers

LLMs can't reliably separate instructions from data, so user input can hijack the model. Direct and indirect injection, what to check for, and how to report it QA-safe.

ai-testingsecurity-testingprompt-injectionllm
Deep dives·13 June 2026 · 8 min read

Focus order bugs: small issue, big user impact

Focus order is the route a keyboard user takes through your page. When it's wrong the page looks perfect and becomes unusable — and scans don't catch it.

accessibilitya11ykeyboard-testingfocus-management
Deep dives·13 June 2026 · 10 min read

OWASP Top 10 for testers, not hackers

The OWASP Top 10 translated for QA: what each category means for flows you already test, and the one check you can run without being a pentester.

security-testingowaspchecklistauth
Deep dives·13 June 2026 · 9 min read

Testing app updates without breaking existing users

QA fresh-installs; real users upgrade in place over old data. Test the upgrade path — schema migrations, stored settings, sessions, multi-version jumps.

mobile-testingapp-updatesmigrationregression
Deep dives·13 June 2026 · 8 min read

Release readiness is not just passed test cases

A green suite confirms only what you thought to check. Readiness adds coverage-vs-change, accepted risk, observability, and non-functional signals.

test-managementreleaserisksign-off
Deep dives·13 June 2026 · 8 min read

Test cases vs scenarios vs charters: the difference

Three different tools on a spectrum from prescribed to open: when to write a scripted case, a coverage scenario, or an exploratory charter.

manual-testingtest-casesexploratory-testingfundamentals
Deep dives·13 June 2026 · 9 min read

The API test data problem nobody plans for

API suites fail on shared, stale, order-dependent data more than on wrong assertions. The own-your-data strategy — independent, unique, cleaned — that keeps them reliable.

api-testingtest-dataautomationfixtures
Deep dives·13 June 2026 · 9 min read

iOS vs Android testing differences QA should know

Fragmentation, permissions, system-back, lifecycle, hardware layout, and notifications diverge between platforms — so a pass on one isn't evidence for the other.

mobile-testingiosandroidcross-platform
Deep dives·13 June 2026 · 8 min read

How to set realistic performance thresholds

Derive thresholds from user expectation, today's baseline, and business impact — set on p95/p99 with an error-rate gate, tiered by criticality — not a made-up 'under 2s'.

performance-testingthresholdsslostrategy
Deep dives·13 June 2026 · 9 min read

QA career paths: manual, automation, SDET, lead, manager

An honest map of QA's branches — deepening manual, automation, SDET, lead, manager — each rewarding different strengths, none 'up' from the others. Choose by what you like doing.

careercareer-pathssdetqa-lead
Deep dives·2 May 2026 · 10 min read

How Cypress retry-ability really works

Cypress retries commands until they pass or time out — but only some commands, and only some of the time. Understanding which is the difference between solid tests and flaky ones.

cypressinternalsflaky-tests
Deep dives·10 February 2026 · 10 min read

How Playwright's auto-waiting actually works

Cypress retries commands; Playwright auto-waits on actionability. Same problem, different solution. Here's what Playwright is actually doing when you call .click().

playwrightinternalsflaky-tests
Deep dives·11 November 2025 · 10 min read

Contract testing, explained without the Pact marketing

Contract testing is two things wearing one name: a model and a tool. The model is genuinely useful; the marketing for the tool oversells where it fits. Here's the model, separated from any vendor's pitch.

contract-testingpactapi-testingmicroservices
Deep dives·28 October 2025 · 9 min read

REST vs GraphQL testing: the actual differences

Most 'REST vs GraphQL' content is about API design. The testing perspective is different — query construction, schema-aware tooling, the N+1-shaped test bug, and why GraphQL flips the test pyramid.

api-testinggraphqlrestcomparison