The tweet mentions bypassing both the WAF and CSP. It also questions if the website had a WAF and the bypass only targeted a filter. More details are needed to analyze further.
For more details, check out the original tweet here: https://twitter.com/snfiidev/status/1797335972751020229