thinkbridge insights · The Validation Atlas · 60-day journey

Sixty days. Sixty techniques.

One validation technique per day, ordered easiest to hardest, from static type checking and linting through to chaos engineering, AI evals, and formal verification. Each lesson takes about five minutes and ends with a single quiz question. Your progress and streak are saved locally on this device.

Static analysis & type-time

Run before the program runs. Cheapest possible defect catch, no execution, no environment, no flaky tests. Every project should max out this layer before climbing the pyramid.

Day 1
Small
Linting & formatting
Style drift, common bug patterns, and review bikeshedding.
Day 2
Small
Dependency vulnerability scanning
Known CVEs in third-party packages.
Day 3
Small
Secret scanning
API keys, tokens, and passwords accidentally committed.
Day 4
Small
License compliance
Incompatible licenses (GPL in proprietary code, AGPL in SaaS) creating legal exposure.
Day 5
Small
Static type checking
Runtime errors that the compiler could have caught.
Day 6
Small
API spec validation & drift
OpenAPI/AsyncAPI spec and implementation diverge silently.
Day 7
Small
SAST (security static analysis)
Vulnerabilities that linting misses, SQL injection, SSRF, hardcoded credentials, unsafe deserialization.
Day 8
Small
SBOM & supply-chain provenance
Unknown dependency lineage; build pipelines compromised by malicious commits or hijacked packages.

Unit, integration, contract

The classic test pyramid. Unit tests for logic; integration for boundaries; contract tests for cross-team or cross-service agreements. Volume matters less than coverage of failure modes.

Day 9
Medium
Snapshot / golden-master
Output formats and complex object graphs change unintentionally.
Day 10
Medium
Code coverage (with caveats)
Untested code paths are invisible until they ship a bug.
Day 11
Small
Unit testing
Logic regressions and incorrect implementations.
Day 12
Small
Integration testing
Bugs at the seams between modules, DB calls, queues, third-party APIs.
Day 13
Small
Contract testing
Service A and Service B agree on a contract; either side breaks it without warning.

Property-based & oracle-free

When you can't enumerate every example, you can still state invariants. When the system has no ground-truth oracle (machine learning, code generation, constraint solvers), these techniques are the only defense.

Day 14
Small
Property-based testing
Example tests miss edge cases by construction; you don't test inputs you didn't think of.
Day 15
Small
Metamorphic testing
No ground-truth oracle exists, common in ML, search, code generation, simulation.
Day 16
Small
Mutation testing
A test suite passes; but how do you know it would catch a real bug?
Day 17
Small
Differential testing
No oracle, but multiple candidate implementations.

E2E, UI, accessibility

The user-facing surface. A golden-path E2E catches more user-visible bugs than fifty unit tests but costs ten times more to maintain. Visual, a11y, and performance budgets close the visible-quality loop.

Day 18
Small
Exploratory / session-based testing
The software technically passes, but the workflow still feels confusing, risky, or broken in ways no scripted test imagined.
Day 19
Medium
Visual regression testing
CSS, layout, and rendering bugs that pass functional tests but visibly break the UI.
Day 20
Small
Accessibility (a11y) automation
WCAG violations that exclude users with disabilities, and risk legal action.
Day 21
Small
Performance budgets / Lighthouse CI
Frontend bloat creeps in; LCP, TTI, and bundle size regress without a guardrail.
Day 22
Small
Cross-browser / device matrix
Bugs that only appear on Safari/iOS, in older Chrome, or on slow Android phones.
Day 23
Small
E2E testing (browser/mobile)
Integration of real frontend, real backend, real network, tested only by users in production.

Dynamic, fuzz & dynamic security

Throw machine-generated inputs at the running system and watch what crashes. Has caught more security CVEs in browsers, parsers, and codecs than any other class of testing. High setup cost; high payoff in the right domain. Also covers dynamic security testing, running attacks against the running app.

Day 24
Medium
Formal verification & model checking
For safety-critical systems, "extensive testing" isn't enough, you need a proof.
Day 25
Small
Memory / undefined-behavior sanitisers
Memory bugs in C/C++/unsafe Rust that don't crash deterministically.
Day 26
Small
DAST (dynamic application security testing)
Vulnerabilities only visible at runtime, auth bypass, IDOR, broken access, server-side injection.
Day 27
Small
API fuzzing from spec
Endpoints handle unexpected inputs the team never considered.
Day 28
Small
Authorization regression testing
Users can read or mutate records, fields, or admin functions they should never reach.
Day 29
Small
Race & concurrency detection
Heisenbugs that only fire under concurrent load or specific schedules.
Day 30
Small
Fuzz testing
Edge inputs you didn't imagine, malformed bytes, oversized payloads, unicode tricks.
Day 31
Medium
Symbolic / concolic execution
Code paths fuzzers can't reach because they require structured inputs (parsers, file formats).

Load, chaos, durability

A passing single-request test does not mean production-ready. These techniques prove the system survives volume, time, and partial failure of dependencies.

Day 32
Small
Game days & DR drills
Your runbook works on paper. Does the team work it under stress at 3 AM?
Day 33
Small
Soak / endurance testing
Memory leaks, file-descriptor leaks, slow drift under sustained load.
Day 34
Small
Load testing
Performance fails under realistic traffic; and you find out at launch.
Day 35
Small
Chaos engineering / fault injection
Dependencies fail in production. Did your retry/timeout/fallback actually work?

Production & continuous

Pre-deploy testing has a ceiling, production is the only complete test environment. Synthetic monitoring, error tracking, tracing, feature flags, and progressive rollout convert "deploy and pray" into "deploy and observe."

Day 36
Small
Blue-green & shadow traffic
New service version is "ready"; but how does it behave on real production traffic?
Day 37
Small
Real-user monitoring + error tracking
You see what monitoring measures; you don't see what users experience.
Day 38
Small
Synthetic monitoring
Outages and regressions found by your customers, not your dashboards.
Day 39
Small
Distributed tracing & observability
Errors in distributed systems are invisible without correlation.
Day 40
Small
Feature flags & canary deploys
Big-bang deploys; the only rollback is git revert.

Process, code review & AI-assisted

Validation is also a social system. Threat modeling, code review, ADRs, and now AI-assisted test generation catch defects no inspection-based tool can, design errors, missed requirements, ambiguous specs.

Day 41
Small
Code review (peer or AI)
Design-level defects, missed requirements, and ambiguous specs that no static tool can catch.
Day 42
Small
Threat modeling
Security flaws found in pen tests after launch, the most expensive time to find them.
Day 43
Small
Penetration testing & bug bounties
Adversaries spend months attacking your system. Your team spent two days defending it.
Day 44
Small
Test impact analysis / selective execution
CI grows past the point where engineers trust it, so they batch changes, skip checks, or wait hours for feedback.
Day 45
Small
Requirements / acceptance validation
The team builds the feature correctly; but the feature is the wrong thing, or the acceptance criteria never described the real user outcome.
Day 46
Medium
AI-assisted test generation
Test backlog grows faster than human-written tests can cover it.

Data, ML & infrastructure

Code is not the only artifact that ships. Pipelines, schemas, infra-as-code, and ML models all need their own validation. Misconfigured infrastructure has caused more 2024–2026 production incidents than vulnerable code.

Day 47
Small
Policy as code
Compliance and platform rules enforced by humans through review, slow, inconsistent, ungated.
Day 48
Small
Container image scanning
A vulnerable base image silently ships everywhere a service deploys.
Day 49
Small
IaC scanning (Terraform, Kubernetes)
Misconfigured infrastructure is the leading cause of production breaches in 2024–2026, open S3 buckets, permissive IAM, exposed secrets in helm values.
Day 50
Small
Data quality testing
Pipelines silently break, null counts spike, schemas drift, freshness lapses, downstream dashboards lie.
Day 51
Small
Test data & environment parity
It worked in staging because staging had clean data, fake dependencies, smaller scale, and none of production's weirdness.
Day 52
Small
Database migration & rollback testing
A schema migration, backfill, or rollback corrupts data or blocks production traffic.

AI-system specific

Software whose output is generated by a model, chat, retrieval, code generation, agents, has no programmatic oracle. These techniques replace "is the output correct" with "does the output satisfy our rubric / schema / behavior contract." 2026 reality: traceability across prompt × model × dataset × eval-version is the new contract.

Day 53
Small
Prompt eval suites (offline)
A prompt edit silently regresses performance on inputs you no longer remember.
Day 54
Small
Output schema gating (structured outputs)
LLM emits drifted JSON; downstream parsers crash; silent data loss.
Day 55
Small
AI agent tracing & observability
Multi-step agentic systems are opaque, when output is wrong, you can't see which tool call, which retrieval, or which reasoning step caused it.
Day 56
Small
Output guardrails (AI safety)
Models produce off-policy, unsafe, or PII-leaking output that can't be caught by an offline eval.
Day 57
Small
LLM-as-judge evaluation
Generated text/code/answers have no programmatic ground truth.
Day 58
Small
Adversarial / jailbreak testing
Users discover ways to make your model produce unsafe, off-policy, or off-brand output.
Day 59
Small
RAG retrieval evaluation
Retrieval-augmented systems hallucinate when retrieval misses or returns garbage.
Day 60
Small
ML model & feature drift detection
Model performance degrades silently as input distribution shifts away from training data.