blog.johlem.net

Notes on detection engineering, offensive security, and compliance — from Luxembourg's financial sector.

  1. Threat-Modeling an LLM Feature for a Regulated Client: A Methodology

    Regulated-finance clients are starting to ship LLM features and starting to be asked how they secured them. A repeatable methodology for threat-modeling an LLM-powered feature, grounded in the actuator question and the data path.

    9 min read
    • threat-modeling
    • llm-security
    • dora
    • nis2
    • ai-governance
    • regulated-finance
  2. The One LLM Security Pattern That Covers Most of the Others: Separate Generation From Actuation

    If you internalise one architectural principle for building with LLMs, make it this: the component that generates must not be the component that acts, and a content-bound human or policy gate sits between them.

    6 min read
    • llm-security
    • ai-security
    • agentic-ai
    • architecture
    • prompt-injection
    • human-in-the-loop
  3. Behavioural Detection Without Drowning in False Positives

    Atomic detection is evadable by fragmentation; behavioural detection catches the chain but threatens to bury you in alerts. The whole craft is tuning that tradeoff deliberately instead of accidentally. A practitioner's view of the ROC curve.

    11 min read
    • detection-engineering
    • soc
    • false-positives
    • roc-curve
    • kill-chain
    • ueba
  4. Responder: Listening to What a Network Tells You by Accident

    Responder exploits a quiet truth: Windows networks broadcast requests that can be answered by anyone listening. Where it earns its place, what it reveals about a network's hygiene, and why it is loud in both directions.

    6 min read
    • responder
    • offensive-tools
    • network-attacks
    • credentials
    • pentesting
    • llmnr
  5. The DGX Spark and the Case for Local LLM Inference in Security Work

    NVIDIA's GB10 desktops — the DGX Spark and its OEM twins like Lenovo's ThinkStation PGX — put 128GB of unified memory on your desk. For security work the appeal is a control boundary, not raw speed. An honest look at what this hardware is and isn't for.

    12 min read
    • dgx-spark
    • gb10
    • lenovo-pgx
    • local-llm
    • self-hosted-ai
    • data-sovereignty
    • hardware
  6. Reading Nmap Like a Defender Reads Logs: Beyond -sV

    Most people run nmap and read the open-port list. The output is far richer than that — and the difference between scanning and reconnaissance is how much you read into what nmap actually tells you.

    5 min read
    • nmap
    • kali-linux
    • reconnaissance
    • pentesting
    • scanning
  7. Multi-Turn LLM Attacks: A SOC Analyst’s Mental Model

    Decomposition, dilution, and frame-poisoning are not new attacks. They are the LLM version of a problem detection engineers solved a decade ago. Here is the mapping — and the defensive architecture it implies.

    18 min read
    • llm-security
    • detection-engineering
    • threat-modeling
    • ai-security
    • owasp-llm
  8. Metasploit in Real Work: Framework First, Exploits Second

    Metasploit's reputation is 'the exploit launcher,' which undersells it and encourages the worst way to use it. Its real value is as a framework — the plumbing around exploitation — and reaching for it deliberately rather than reflexively.

    6 min read
    • metasploit
    • offensive-tools
    • exploitation
    • pentesting
    • post-exploitation
  9. Running Local LLMs for Security Work: What Self-Hosted Inference Actually Buys You

    Self-hosted inference is often framed as a cost or privacy hobby. For security work in a regulated context, the real value is a control boundary: data that never leaves, and a model whose behaviour you fully own.

    7 min read
    • local-llm
    • self-hosted-ai
    • ollama
    • data-sovereignty
    • security
    • regulated-finance
  10. The Pyramid of Pain, Applied: How Threat Intel Should Reorder Your Detections

    Most threat intel programmes drown in low-value indicators. The pyramid of pain explains why — and how to reorder detection investment toward the indicators that actually cost an adversary something to change.

    8 min read
    • cti
    • threat-intelligence
    • pyramid-of-pain
    • detection-engineering
    • ttps
    • soc
  11. Impacket: The Library That Speaks Windows Protocols Fluently

    Impacket is not one tool but a toolkit that implements Windows network protocols directly — which is what makes it the backbone of real Active Directory work. Where its example scripts earn their place, and why protocol-level fluency matters.

    6 min read
    • impacket
    • offensive-tools
    • active-directory
    • windows-protocols
    • lateral-movement
    • pentesting
  12. The OWASP LLM Top 10, for Someone Who Has to Defend a Real Deployment

    The OWASP LLM Top 10 is usually presented as a glossary. Read instead as a defender's checklist for a deployment you actually own — which risks are architectural, which are operational, and which the list under-covers.

    11 min read
    • owasp
    • llm-security
    • ai-security
    • threat-modeling
    • defenders
    • prompt-injection
  13. Your SIEM Is Only as Good as Its Worst-Onboarded Log Source

    Detection content gets all the attention; log-source onboarding gets none. But a detection is only as good as the data underneath it, and most detection failures are really data-quality failures wearing a detection costume.

    6 min read
    • siem
    • log-management
    • detection-engineering
    • data-quality
    • soc
  14. Nuclei: Templated Scanning That Scales Without Becoming Noise

    Nuclei turns vulnerability checks into shareable templates, which makes scanning fast and repeatable — and easy to run mindlessly. Where templated scanning earns its place, and the discipline that keeps it signal rather than noise.

    6 min read
    • nuclei
    • offensive-tools
    • vulnerability-scanning
    • automation
    • templates
    • pentesting
  15. Detections Are Code: Version Control, Validation, and the Purple-Team Loop

    A detection you cannot version, test, and validate is a liability you happen to trust. Treating detections as code — with a purple-team validation loop — turns your SOC's detection library from folklore into engineering.

    10 min read
    • detection-as-code
    • purple-team
    • detection-engineering
    • ci-cd
    • atomic-red-team
    • soc
  16. Burp Suite Where It Earns Its Keep: Beyond Proxy-and-Repeater

    Burp is the default web-app testing platform, and most of its power goes unused. The workflows that actually matter in real web assessments, and the discipline that separates testing from clicking buttons.

    6 min read
    • burp-suite
    • offensive-tools
    • web-application-security
    • pentesting
    • appsec
  17. OSINT: Why the Most Valuable Reconnaissance Touches Nothing

    Open-source intelligence is reconnaissance that leaves no trace on the target because it never touches it. Why OSINT is foundational in both offensive and defensive security, what it reveals, and the discipline that separates intelligence from collection.

    7 min read
    • osint
    • reconnaissance
    • cybersecurity
    • threat-intelligence
    • attack-surface
  18. Prompt Injection vs. Jailbreaking: They’re Not the Same Threat, and the Confusion Costs You

    These two terms are used interchangeably almost everywhere, and the conflation produces wrong defences. They have different attackers, different targets, and different fixes. A clarifying piece.

    9 min read
    • prompt-injection
    • jailbreaking
    • llm-security
    • ai-security
    • threat-modeling
  19. Reading the Source: Why ePrint and Research Sites Matter in Security

    The IACR ePrint archive and sites like it are where security knowledge is born, years before it reaches tools and blog posts. Why going to primary research matters, how to engage with it, and what it gives a practitioner that secondary sources cannot.

    10 min read
    • research
    • cryptography
    • iacr-eprint
    • academic-research
    • cybersecurity
    • primary-sources
  20. One Bag, Two Roles: A Travel System for Consulting and Film Photography

    A single 30–35L bag that has to serve two incompatible-seeming roles: showing up credible for a client engagement and carrying a film camera for the streets between meetings. The system, and the constraints that shaped it.

    7 min read
    • one-bag
    • travel
    • minimalism
    • film-photography
    • consulting
    • edc
  21. The Case for Minimalism and the Command Line in Security Work

    Minimalism and the CLI are usually framed as aesthetic or nostalgic preferences. In security work they are functional advantages: composability, scriptability, reproducibility, and a smaller surface to understand and trust.

    6 min read
    • minimalism
    • command-line
    • cli
    • workflow
    • security
    • tooling
  22. QRadar to Defender: A Bilingual Detection Engineer’s Field Notes

    Running both QRadar and Defender means living in two correlation philosophies at once. The AQL-to-KQL mental translation, where the platforms genuinely differ, and the migration traps nobody warns you about.

    9 min read
    • qradar
    • microsoft-defender
    • kql
    • aql
    • siem
    • detection-engineering
  23. Defender XDR: Why the Unified Incident Is the Whole Point

    Defender XDR's defining capability isn't any single detection — it's correlating alerts from email, endpoint, identity, and cloud into one incident. Why that correlation matters, how malware detection feeds it, and where the analyst still earns their keep.

    7 min read
    • microsoft-defender
    • defender-xdr
    • incident-correlation
    • malware-detection
    • m365
    • soc
  24. Rust in Cybersecurity: Where Memory Safety Actually Changes the Game

    Rust's safety guarantees are a genuine security property, not just a developer-experience win. Where Rust meaningfully changes things in security work — building tools and writing safer software — and where the enthusiasm overshoots.

    6 min read
    • rust
    • cybersecurity
    • memory-safety
    • tooling
    • secure-development
  25. Building an Air-Gapped Proxmox Lab for OSCP Prep and Detection Engineering

    A 10-VLAN Proxmox lab on a MINISFORUM MS-A2, purpose-built for running offensive techniques against a full blue-team stack — without a single packet touching the real internet.

    18 min read
    • infrastructure
    • proxmox
    • oscp
    • detection-engineering
  26. BloodHound: Seeing Active Directory the Way an Attacker Does

    BloodHound turns Active Directory from a list of objects into a graph of attack paths. Its power is the question it answers — not 'what exists' but 'how do I get from here to domain admin' — and that reframe is the whole point.

    6 min read
    • bloodhound
    • offensive-tools
    • active-directory
    • attack-paths
    • pentesting
  27. A Reproducible Pentest Workstation: NixOS Instead of a Kali VM You’re Afraid to Rebuild

    The offensive-tooling VM that accretes state until nobody dares rebuild it is a familiar problem. A declarative pentest workstation flips it: the environment is code, disposable, and identical every time.

    7 min read
    • nixos
    • pentesting
    • kali-linux
    • reproducibility
    • workstation
    • tooling
  28. Self-Hosting a Security Stack in Regulated Finance: What’s Actually Defensible

    A segmented homelab is a threat model, not a hobby. Framing self-hosted security infrastructure for an audience that has to justify every isolation boundary to an auditor — and where EU data sovereignty stops being ideology and becomes a control.

    9 min read
    • self-hosting
    • homelab
    • data-residency
    • dora
    • eu-sovereignty
    • architecture
  29. sqlmap: Powerful, Dangerous, and Usually Used Wrong

    sqlmap automates SQL injection so thoroughly that it invites the worst habits — pointing it at everything, understanding nothing. Where it genuinely earns its place, and why understanding the injection matters more when the tool makes it easy.

    6 min read
    • sqlmap
    • offensive-tools
    • sql-injection
    • web-application-security
    • pentesting
  30. NixOS as a Security Posture: Why Declarative and Reproducible Is a Control

    NixOS is usually sold on reproducibility and developer ergonomics. For security work, the declarative model is something more specific: a system whose entire state is described, version-controlled, and rebuildable — which is a security property.

    7 min read
    • nixos
    • declarative-config
    • reproducibility
    • security
    • infrastructure-as-code
  31. Phishing Takedown: The Operational Reality

    The detection is the easy part. The real engineering in phishing takedown is verified abuse-contact resolution, a trustworthy approval gate, and a sender that can never be talked into acting on its own. A methodology, not a tool.

    7 min read
    • phishing
    • takedown
    • abuse-handling
    • automation
    • rdap
    • human-in-the-loop
  32. Alert Fatigue Is a Design Failure, Not an Analyst Failure

    When analysts miss the real alert in a flood of noise, the instinct is to blame attention or training. The flood is the actual problem, and it is a design choice. How to engineer an alert pipeline that respects the scarcest resource in the SOC.

    6 min read
    • siem
    • alert-fatigue
    • soc
    • detection-engineering
    • triage
    • alerting
  33. ffuf: Fuzzing as Reconnaissance, Not Brute Force

    ffuf is fast, and speed makes it easy to misuse. The difference between fuzzing as reconnaissance and fuzzing as noisy brute force is wordlist discipline and response reading. Where ffuf actually earns its place.

    5 min read
    • ffuf
    • offensive-tools
    • fuzzing
    • web-enumeration
    • pentesting
  34. Microsoft Defender for Office 365 and Phishing: What the Layers Actually Do

    Defender for Office 365's anti-phishing protection is a stack of distinct layers, each catching a different kind of attack. Understanding what each layer does — and what it cannot do — is the difference between configuring it well and trusting it blindly.

    8 min read
    • microsoft-defender
    • office-365
    • phishing
    • email-security
    • anti-phishing
    • m365
  35. Why My LinkedIn Is a Static Business Card

    The contrarian position: treat LinkedIn as a verification stub, not a content channel, and put every piece of real work on a platform you own. The reasoning, the tradeoffs, and why it's the right call for a consulting practice.

    9 min read
    • content-strategy
    • owned-platform
    • linkedin
    • personal-brand
    • blogging
    • consulting
  36. Python in Cybersecurity: The Glue Language That Runs the Field

    Python is the default language of practical security work for reasons that are not accidental: it is fast to write, glues everything together, and has the ecosystem. Where it dominates, where it doesn't, and how to use it well.

    6 min read
    • python
    • cybersecurity
    • automation
    • tooling
    • scripting
  37. Running 5K Every Day: What a Daily Run Actually Does

    A daily 5K is short enough to sustain and long enough to matter. The physical, mental, and discipline-building effects of a daily run — and an honest note on doing it sustainably rather than obsessively.

    6 min read
    • running
    • fitness
    • wellbeing
    • habit
    • discipline
    • health
  38. DORA & NIS2 Are Detection-Engineering Problems, Not Paperwork

    Most DORA and NIS2 writing is checklist theatre. The requirements that actually matter map directly onto SOC controls, detection coverage, and evidence your SIEM already produces. Here is the translation.

    9 min read
    • dora
    • nis2
    • compliance
    • detection-engineering
    • soc
    • regulated-finance
  39. Hashcat: Password Cracking as Intelligence, Not Just Recovery

    Hashcat recovers passwords, but its real value in an engagement is what cracked passwords tell you about an organization's password culture — and the strategy that separates efficient cracking from wasted GPU hours.

    6 min read
    • hashcat
    • offensive-tools
    • password-cracking
    • credentials
    • pentesting
  40. Kali Is a Toolbox, Not a Methodology: Using the Tools Without Becoming a Script Kiddie

    Kali ships hundreds of tools and zero judgment about when to use them. The difference between a pentester and someone running tools is the methodology around the toolbox, not the toolbox.

    7 min read
    • kali-linux
    • pentesting
    • methodology
    • oscp
    • offensive-security
  41. Why Build Your Own Security Tools When Everything Already Exists

    The toolbox is already full, so why build more? Because building your own tools encodes your methodology, fits your exact need, deepens your understanding, and gives you something you fully control and trust. The case for the craft.

    6 min read
    • tooling
    • security-tools
    • build-vs-buy
    • automation
    • craftsmanship
  42. Nmap in Real Engagements: The Five Scans That Actually Matter

    Everyone knows nmap exists. Far fewer use it deliberately. The handful of scan patterns that earn their place in real engagements, and when each one is the right call.

    6 min read
    • nmap
    • offensive-tools
    • reconnaissance
    • pentesting
    • scanning
  43. Hello, World — and What This Blog Is For

    A first post laying out what this blog covers — detection engineering, offensive tradecraft, and European compliance — and why it exists as plain HTML with nothing underneath it.

    4 min read
    • meta
    • detection-engineering
    • compliance

Full archive →