diff --git a/backend/app/services/atomic_import_service.py b/backend/app/services/atomic_import_service.py
index 85796fd..b7d9c49 100644
--- a/backend/app/services/atomic_import_service.py
+++ b/backend/app/services/atomic_import_service.py
@@ -135,7 +135,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                 f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
             )
 
-        # Iterate over entries
+        # Iterate over entries — validate and extract each member individually
         for member in entries:
             # Assign target = (dest_path / member.filename).resolve()
             target = (dest_path / member.filename).resolve()
@@ -146,9 +146,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                     f"Zip Slip detected — member '{member.filename}' "
                     f"resolves outside target directory"
                 )
-
-        # Call zf.extractall()
-        zf.extractall(dest)
+            zf.extract(member, dest)
 
 
 # Define function _extract_zip
diff --git a/backend/app/services/caldera_import_service.py b/backend/app/services/caldera_import_service.py
index 30b4057..68f5b07 100644
--- a/backend/app/services/caldera_import_service.py
+++ b/backend/app/services/caldera_import_service.py
@@ -110,7 +110,7 @@ def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
                 raise ValueError(
                     f"Zip Slip detected — '{member.filename}' resolves outside target directory"
                 )
-        zf.extractall(dest)
+            zf.extract(member, dest)
     # Assign abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
     abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
     # Check: not abilities_dir.is_dir()
diff --git a/backend/app/services/elastic_import_service.py b/backend/app/services/elastic_import_service.py
index af14940..fa720d4 100644
--- a/backend/app/services/elastic_import_service.py
+++ b/backend/app/services/elastic_import_service.py
@@ -149,7 +149,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                 f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
             )
 
-        # Iterate over entries
+        # Iterate over entries — validate and extract each member individually
         for member in entries:
             # Assign target = (dest_path / member.filename).resolve()
             target = (dest_path / member.filename).resolve()
@@ -160,9 +160,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                     f"Zip Slip detected — member '{member.filename}' "
                     f"resolves outside target directory"
                 )
-
-        # Call zf.extractall()
-        zf.extractall(dest)
+            zf.extract(member, dest)
 
 
 # Define function _extract_zip
diff --git a/backend/app/services/lolbas_import_service.py b/backend/app/services/lolbas_import_service.py
index ce1be3b..fe25da5 100644
--- a/backend/app/services/lolbas_import_service.py
+++ b/backend/app/services/lolbas_import_service.py
@@ -159,7 +159,7 @@ def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
                 raise ValueError(
                     f"Zip Slip detected — '{member.filename}' resolves outside target directory"
                 )
-        zf.extractall(dest)
+            zf.extract(member, dest)
     return Path(dest)
 
 
diff --git a/backend/app/services/sigma_import_service.py b/backend/app/services/sigma_import_service.py
index ce0f393..094e868 100644
--- a/backend/app/services/sigma_import_service.py
+++ b/backend/app/services/sigma_import_service.py
@@ -158,7 +158,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                 f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
             )
 
-        # Iterate over entries
+        # Iterate over entries — validate and extract each member individually
         for member in entries:
             # Assign target = (dest_path / member.filename).resolve()
             target = (dest_path / member.filename).resolve()
@@ -169,9 +169,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
                     f"Zip Slip detected — member '{member.filename}' "
                     f"resolves outside target directory"
                 )
-
-        # Call zf.extractall()
-        zf.extractall(dest)
+            zf.extract(member, dest)
 
 
 # Define function _extract_zip
diff --git a/backend/app/services/threat_actor_import_service.py b/backend/app/services/threat_actor_import_service.py
index 15cabaa..7cc204d 100644
--- a/backend/app/services/threat_actor_import_service.py
+++ b/backend/app/services/threat_actor_import_service.py
@@ -120,7 +120,7 @@ def _extract_zip_and_load_bundle(zip_bytes: bytes, dest: str) -> dict:
                 raise ValueError(
                     f"Zip Slip detected — '{member.filename}' resolves outside target directory"
                 )
-        zf.extractall(dest)
+            zf.extract(member, dest)
 
     # Assign bundle_path = (
     bundle_path = (
diff --git a/scripts/verify_gaps.py b/scripts/verify_gaps.py
index 8f119e2..2ffa62e 100644
--- a/scripts/verify_gaps.py
+++ b/scripts/verify_gaps.py
@@ -9,7 +9,7 @@ import requests, sys
 
 BASE = os.environ.get("AEGIS_BASE_URL", "http://localhost:8000/api/v1")
 ADMIN_PASSWORD = os.environ.get("AEGIS_ADMIN_PASSWORD", "admin123")
-PASS = "\033[92m✓\033[0m"
+OK_MARK = "\033[92m✓\033[0m"
 FAIL = "\033[91m✗\033[0m"
 passed = 0
 failed = 0
@@ -19,7 +19,7 @@ def check(label, cond, detail=""):
     global passed, failed
     if cond:
         passed += 1
-        print(f"  {PASS} {label}")
+        print(f"  {OK_MARK} {label}")
     else:
         failed += 1
         print(f"  {FAIL} {label}" + (f" — {detail}" if detail else ""))