Field notes·13 June 2026 · 8 min read
Risk-based testing when everything is urgent
How to prioritise testing when the timeline just got cut in half and everything is labelled critical.
test-managementrisk-basedprioritisation
Blog
Advanced.
Deeper material for senior QA, leads, and specialists — strategy, internals, and judgement calls.
Deep dives·13 June 2026 · 9 min read
Authorization testing: roles, permissions, and the assumptions that leak
Authentication asks who you are; authorization asks if you are allowed. Most access-control bugs live in the second question — tested with a written access matrix and a lot of negative testing.
security-testingauthorizationrbacbugs
Deep dives·13 June 2026 · 9 min read
Prompt injection testing for QA engineers
LLMs can't reliably separate instructions from data, so user input can hijack the model. Direct and indirect injection, what to check for, and how to report it QA-safe.
ai-testingsecurity-testingprompt-injectionllm
Deep dives·13 June 2026 · 9 min read
Testing app updates without breaking existing users
QA fresh-installs; real users upgrade in place over old data. Test the upgrade path — schema migrations, stored settings, sessions, multi-version jumps.
mobile-testingapp-updatesmigrationregression
Deep dives·10 February 2026 · 10 min read
How Playwright's auto-waiting actually works
Cypress retries commands; Playwright auto-waits on actionability. Same problem, different solution. Here's what Playwright is actually doing when you call .click().
playwrightinternalsflaky-tests
Career·13 January 2026 · 9 min read
From SDET to QA Lead: the shift no one warns you about
The transition from SDET to QA Lead is brutal in a way the title doesn't telegraph. You stop being measured on what you ship and start being measured on what your team ships.
careerleadershipqa-lead
Deep dives·11 November 2025 · 10 min read
Contract testing, explained without the Pact marketing
Contract testing is two things wearing one name: a model and a tool. The model is genuinely useful; the marketing for the tool oversells where it fits. Here's the model, separated from any vendor's pitch.
contract-testingpactapi-testingmicroservices
Opinions·4 November 2025 · 8 min read
Load tests in CI: the honest version
The pitch: 'run load tests on every PR.' The reality: you'll have flaky thresholds in three days and disabled tests in two weeks. Here's the four-tier strategy that actually survives.
performance-testingci-cdk6opinion