Threat intelligence reports, detection engineering guides, and cybersecurity research from the Magonia team.
From individual incident response to tracking adversaries across campaigns. Activity threading, analytic pivoting, and turning your own incidents into detection opportunities and structured threat intelligence.
The EDR Telemetry Project's website tells visitors to "validate detection logic" and endorses its use for guiding procurement decisions. The disclaimers saying it shouldn't be used for that exist only on GitHub. Public feedback suggesting it be clarified it can't be used for detection were ignored.
A.I. insanity has reached no heights. As vendors scream about AI super threats while the reality is boring.
Every detection can be evaded. So what's worse: missing an attack or drowning in noise? The Base-Rate Fallacy shows that false positives are the true limiting factor. The goal isn't to be perfect; it's to be a difficult target. Each layer that forces an adversary to adapt is a win.
A new paper questions fuzzy hashing, but real-world data tells a different story. I share practical lessons for reducing false positives and argue that the future of TLSH isn't in alerting, it's in enriching events to create high-fidelity detections.
Have we become so focused on TTPs that we've dismissed the value at the bottom of the pyramid? This post explores what role IOC's have in a modern detection program if any, and what the future may look like for them.
In cybersecurity, nobody agrees on what "visibility" means. This post cuts through vendor hype with a practical framework, using a Splunk article's model of telemetry, monitoring, and observability to give your entire team a shared language to build better defenses.
The author of the EDR Telemetry Project responded, accusing me of spreading misinformation by saying his project was for detection, that it's always only ever been about telemetry. The problem is, his own words contradict him.
The EDR Telemetry Project is misleading. Its scoring only defines if telemetry is collected, not if it's actually useable. This post breaks down why the project is flawed in its current state and how some minor tweaks could make it truly valuable.
The response to the first article was really positive, and it highlighted something I've seen a lot: many of us in security come from backgrounds in IT, networking,
Breaking into cybersecurity feels impossible right now. This isn't a magic formula, but my personal story of navigating the field. Learn from my experiences with degrees, certs, and networking to find your own way in a tough job market.
Ask anyone who’s worked in a SOC long enough and they’ll tell you: debates over “true positive” versus “false positive” happen a lot. Usually, the conversation goes in circles—one person insists an alert was a false positive, another argues it was technically a true positive,