-
Threat-Modeling an LLM Feature for a Regulated Client: A Methodology
Regulated-finance clients are starting to ship LLM features and starting to be asked how they secured them. A repeatable methodology for threat-modeling an LLM-powered feature, grounded in the actuator question and the data path.
-
The One LLM Security Pattern That Covers Most of the Others: Separate Generation From Actuation
If you internalise one architectural principle for building with LLMs, make it this: the component that generates must not be the component that acts, and a content-bound human or policy gate sits between them.
-
Behavioural Detection Without Drowning in False Positives
Atomic detection is evadable by fragmentation; behavioural detection catches the chain but threatens to bury you in alerts. The whole craft is tuning that tradeoff deliberately instead of accidentally. A practitioner's view of the ROC curve.
-
Responder: Listening to What a Network Tells You by Accident
Responder exploits a quiet truth: Windows networks broadcast requests that can be answered by anyone listening. Where it earns its place, what it reveals about a network's hygiene, and why it is loud in both directions.
-
The DGX Spark and the Case for Local LLM Inference in Security Work
NVIDIA's GB10 desktops — the DGX Spark and its OEM twins like Lenovo's ThinkStation PGX — put 128GB of unified memory on your desk. For security work the appeal is a control boundary, not raw speed. An honest look at what this hardware is and isn't for.
-
Reading Nmap Like a Defender Reads Logs: Beyond -sV
Most people run nmap and read the open-port list. The output is far richer than that — and the difference between scanning and reconnaissance is how much you read into what nmap actually tells you.
-
Multi-Turn LLM Attacks: A SOC Analyst’s Mental Model
Decomposition, dilution, and frame-poisoning are not new attacks. They are the LLM version of a problem detection engineers solved a decade ago. Here is the mapping — and the defensive architecture it implies.
-
Metasploit in Real Work: Framework First, Exploits Second
Metasploit's reputation is 'the exploit launcher,' which undersells it and encourages the worst way to use it. Its real value is as a framework — the plumbing around exploitation — and reaching for it deliberately rather than reflexively.
-
Running Local LLMs for Security Work: What Self-Hosted Inference Actually Buys You
Self-hosted inference is often framed as a cost or privacy hobby. For security work in a regulated context, the real value is a control boundary: data that never leaves, and a model whose behaviour you fully own.
-
The Pyramid of Pain, Applied: How Threat Intel Should Reorder Your Detections
Most threat intel programmes drown in low-value indicators. The pyramid of pain explains why — and how to reorder detection investment toward the indicators that actually cost an adversary something to change.
-
Impacket: The Library That Speaks Windows Protocols Fluently
Impacket is not one tool but a toolkit that implements Windows network protocols directly — which is what makes it the backbone of real Active Directory work. Where its example scripts earn their place, and why protocol-level fluency matters.
-
The OWASP LLM Top 10, for Someone Who Has to Defend a Real Deployment
The OWASP LLM Top 10 is usually presented as a glossary. Read instead as a defender's checklist for a deployment you actually own — which risks are architectural, which are operational, and which the list under-covers.
-
Your SIEM Is Only as Good as Its Worst-Onboarded Log Source
Detection content gets all the attention; log-source onboarding gets none. But a detection is only as good as the data underneath it, and most detection failures are really data-quality failures wearing a detection costume.
-
Nuclei: Templated Scanning That Scales Without Becoming Noise
Nuclei turns vulnerability checks into shareable templates, which makes scanning fast and repeatable — and easy to run mindlessly. Where templated scanning earns its place, and the discipline that keeps it signal rather than noise.
-
Detections Are Code: Version Control, Validation, and the Purple-Team Loop
A detection you cannot version, test, and validate is a liability you happen to trust. Treating detections as code — with a purple-team validation loop — turns your SOC's detection library from folklore into engineering.
-
Burp Suite Where It Earns Its Keep: Beyond Proxy-and-Repeater
Burp is the default web-app testing platform, and most of its power goes unused. The workflows that actually matter in real web assessments, and the discipline that separates testing from clicking buttons.
-
OSINT: Why the Most Valuable Reconnaissance Touches Nothing
Open-source intelligence is reconnaissance that leaves no trace on the target because it never touches it. Why OSINT is foundational in both offensive and defensive security, what it reveals, and the discipline that separates intelligence from collection.
-
Prompt Injection vs. Jailbreaking: They’re Not the Same Threat, and the Confusion Costs You
These two terms are used interchangeably almost everywhere, and the conflation produces wrong defences. They have different attackers, different targets, and different fixes. A clarifying piece.
-
Reading the Source: Why ePrint and Research Sites Matter in Security
The IACR ePrint archive and sites like it are where security knowledge is born, years before it reaches tools and blog posts. Why going to primary research matters, how to engage with it, and what it gives a practitioner that secondary sources cannot.
-
One Bag, Two Roles: A Travel System for Consulting and Film Photography
A single 30–35L bag that has to serve two incompatible-seeming roles: showing up credible for a client engagement and carrying a film camera for the streets between meetings. The system, and the constraints that shaped it.
-
The Case for Minimalism and the Command Line in Security Work
Minimalism and the CLI are usually framed as aesthetic or nostalgic preferences. In security work they are functional advantages: composability, scriptability, reproducibility, and a smaller surface to understand and trust.
-
QRadar to Defender: A Bilingual Detection Engineer’s Field Notes
Running both QRadar and Defender means living in two correlation philosophies at once. The AQL-to-KQL mental translation, where the platforms genuinely differ, and the migration traps nobody warns you about.
-
Defender XDR: Why the Unified Incident Is the Whole Point
Defender XDR's defining capability isn't any single detection — it's correlating alerts from email, endpoint, identity, and cloud into one incident. Why that correlation matters, how malware detection feeds it, and where the analyst still earns their keep.
-
Rust in Cybersecurity: Where Memory Safety Actually Changes the Game
Rust's safety guarantees are a genuine security property, not just a developer-experience win. Where Rust meaningfully changes things in security work — building tools and writing safer software — and where the enthusiasm overshoots.
-
Building an Air-Gapped Proxmox Lab for OSCP Prep and Detection Engineering
A 10-VLAN Proxmox lab on a MINISFORUM MS-A2, purpose-built for running offensive techniques against a full blue-team stack — without a single packet touching the real internet.
-
BloodHound: Seeing Active Directory the Way an Attacker Does
BloodHound turns Active Directory from a list of objects into a graph of attack paths. Its power is the question it answers — not 'what exists' but 'how do I get from here to domain admin' — and that reframe is the whole point.
-
A Reproducible Pentest Workstation: NixOS Instead of a Kali VM You’re Afraid to Rebuild
The offensive-tooling VM that accretes state until nobody dares rebuild it is a familiar problem. A declarative pentest workstation flips it: the environment is code, disposable, and identical every time.
-
Self-Hosting a Security Stack in Regulated Finance: What’s Actually Defensible
A segmented homelab is a threat model, not a hobby. Framing self-hosted security infrastructure for an audience that has to justify every isolation boundary to an auditor — and where EU data sovereignty stops being ideology and becomes a control.
-
sqlmap: Powerful, Dangerous, and Usually Used Wrong
sqlmap automates SQL injection so thoroughly that it invites the worst habits — pointing it at everything, understanding nothing. Where it genuinely earns its place, and why understanding the injection matters more when the tool makes it easy.
-
NixOS as a Security Posture: Why Declarative and Reproducible Is a Control
NixOS is usually sold on reproducibility and developer ergonomics. For security work, the declarative model is something more specific: a system whose entire state is described, version-controlled, and rebuildable — which is a security property.
-
Phishing Takedown: The Operational Reality
The detection is the easy part. The real engineering in phishing takedown is verified abuse-contact resolution, a trustworthy approval gate, and a sender that can never be talked into acting on its own. A methodology, not a tool.
-
Alert Fatigue Is a Design Failure, Not an Analyst Failure
When analysts miss the real alert in a flood of noise, the instinct is to blame attention or training. The flood is the actual problem, and it is a design choice. How to engineer an alert pipeline that respects the scarcest resource in the SOC.
-
ffuf: Fuzzing as Reconnaissance, Not Brute Force
ffuf is fast, and speed makes it easy to misuse. The difference between fuzzing as reconnaissance and fuzzing as noisy brute force is wordlist discipline and response reading. Where ffuf actually earns its place.
-
Microsoft Defender for Office 365 and Phishing: What the Layers Actually Do
Defender for Office 365's anti-phishing protection is a stack of distinct layers, each catching a different kind of attack. Understanding what each layer does — and what it cannot do — is the difference between configuring it well and trusting it blindly.
-
Why My LinkedIn Is a Static Business Card
The contrarian position: treat LinkedIn as a verification stub, not a content channel, and put every piece of real work on a platform you own. The reasoning, the tradeoffs, and why it's the right call for a consulting practice.
-
Python in Cybersecurity: The Glue Language That Runs the Field
Python is the default language of practical security work for reasons that are not accidental: it is fast to write, glues everything together, and has the ecosystem. Where it dominates, where it doesn't, and how to use it well.
-
Running 5K Every Day: What a Daily Run Actually Does
A daily 5K is short enough to sustain and long enough to matter. The physical, mental, and discipline-building effects of a daily run — and an honest note on doing it sustainably rather than obsessively.
-
DORA & NIS2 Are Detection-Engineering Problems, Not Paperwork
Most DORA and NIS2 writing is checklist theatre. The requirements that actually matter map directly onto SOC controls, detection coverage, and evidence your SIEM already produces. Here is the translation.
-
Hashcat: Password Cracking as Intelligence, Not Just Recovery
Hashcat recovers passwords, but its real value in an engagement is what cracked passwords tell you about an organization's password culture — and the strategy that separates efficient cracking from wasted GPU hours.
-
Kali Is a Toolbox, Not a Methodology: Using the Tools Without Becoming a Script Kiddie
Kali ships hundreds of tools and zero judgment about when to use them. The difference between a pentester and someone running tools is the methodology around the toolbox, not the toolbox.
-
Why Build Your Own Security Tools When Everything Already Exists
The toolbox is already full, so why build more? Because building your own tools encodes your methodology, fits your exact need, deepens your understanding, and gives you something you fully control and trust. The case for the craft.
-
Nmap in Real Engagements: The Five Scans That Actually Matter
Everyone knows nmap exists. Far fewer use it deliberately. The handful of scan patterns that earn their place in real engagements, and when each one is the right call.
-
Hello, World — and What This Blog Is For
A first post laying out what this blog covers — detection engineering, offensive tradecraft, and European compliance — and why it exists as plain HTML with nothing underneath it.